Facebooker talk - Sep 2008 - Form method=get signature failure

Hi, this topic was originally posted here:
   http://forums.pragprog.com/forums/59/topics/917

Quick summary: forms created method=GET fail with a signature  
validation error:
Facebooker::Session::IncorrectSignature  
(Facebooker::Session::IncorrectSignature):
     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
146:in `verify_signature''
     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
120:in `verified_facebook_params''
     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
35:in `facebook_params''
     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
63:in `valid_session_key_in_session?''
     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
41:in `session_already_secured?''

//////
This can be reproduced with a small test application:
rails test
cd test
script/plugin install git://github.com/mmangino/facebooker.git
ruby script/generate controller home index search

views/home/index.fbml.erb:


<h1>Home</h1>
<% form_tag(url_for(:action => :search), {:method=>:get}) do %>
<p><%= text_field_tag(:keyword, params[:keyword]) %></p>
<p><fb:submit>Go</fb:submit></p>
<% end %>

app/controller/application.rb?added immediately below helper :all

   ensure_application_is_installed_by_facebook_user
   ensure_authenticated_to_facebook

And then I set up my development server and tunnel as I do with normal  
development. The error is the same. Also, if I remove the :method  
=> :get, the error does not occur.
//////

I have done some additional digging tonight on the problem, and here  
is what I''ve learned:

1.  The verify_signature is working correctly (as expected) and  
calculating on all values passed to it --- the calculation is actually  
rendering a result inconsistent with the fb_sig passed to it.
2.  The hidden parameters from the form that appear in the URL are  
being faithfully transmitted through Facebook to Facebooker and  
showing up properly in verify_signature
3.  A copy + paste of the "raw string" generated by a working GET and
a failing GET are identical except the timestamp and the session  
expiration time (of course).  You can test a working GET by removing  
the parameters from the URL letting facebook regenerate them.  This  
way everything else is identical.

==> I can only conclude that the fb_sig sent by facebook is being  
calculated based on a different order of parameters or excluding some  
parameters, but I don''t know how to go about finding which ones  
(except brute force yuck).  I can''t find any of the FB pages that  
offer any useful advice on this.

Quick reference:
Forms and Hidden Inputs:
http://wiki.developers.facebook.com/index.php/UsageNotes/Forms
How Facebook Authenticates:
http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
Verifying the Signature:
http://wiki.developers.facebook.com/index.php/Verifying_The_Signature

-Paul

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=windows-1252"
 http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000066">
<font face="Helvetica, Arial, sans-serif">This just started
showing up
in a working app, anyone else seeing this?</font><br>
<br>
Paul Covell wrote:
<blockquote
cite="mid:E36F974C-5CDE-496E-9A7C-4AF81ACD9C22@alum.mit.edu"
 type="cite">Hi, this topic was originally posted here:
  <br>
  <a class="moz-txt-link-freetext"
href="http://forums.pragprog.com/forums/59/topics/917">http://forums.pragprog.com/forums/59/topics/917</a>
  <br>
  <br>
Quick summary: forms created method=GET fail with a signature
validation error:
  <br>
Facebooker::Session::IncorrectSignature
(Facebooker::Session::IncorrectSignature):
  <br>
   
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:146:in
`verify_signature''
  <br>
   
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:120:in
`verified_facebook_params''
  <br>
    /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:35:in
`facebook_params''
  <br>
    /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:63:in
`valid_session_key_in_session?''
  <br>
    /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:41:in
`session_already_secured?''
  <br>
  <br>
//////
  <br>
This can be reproduced with a small test application:
  <br>
rails test
  <br>
cd test
  <br>
script/plugin install git://github.com/mmangino/facebooker.git
  <br>
ruby script/generate controller home index search
  <br>
  <br>
views/home/index.fbml.erb:
  <br>
  <br>
  <br>
<h1>Home</h1>
  <br>
<% form_tag(url_for(:action => :search), {:method=>:get}) do
%>
  <br>
<p><%= text_field_tag(:keyword, params[:keyword])
%></p>
  <br>
<p><fb:submit>Go</fb:submit></p>
  <br>
<% end %>
  <br>
  <br>
app/controller/application.rb—added immediately below helper :all
  <br>
  <br>
  ensure_application_is_installed_by_facebook_user
  <br>
  ensure_authenticated_to_facebook
  <br>
  <br>
And then I set up my development server and tunnel as I do with normal
development. The error is the same. Also, if I remove the :method =>
:get, the error does not occur.
  <br>
//////
  <br>
  <br>
I have done some additional digging tonight on the problem, and here is
what I''ve learned:
  <br>
  <br>
1.  The verify_signature is working correctly (as expected) and
calculating on all values passed to it --- the calculation is actually
rendering a result inconsistent with the fb_sig passed to it.
  <br>
2.  The hidden parameters from the form that appear in the URL are
being faithfully transmitted through Facebook to Facebooker and showing
up properly in verify_signature
  <br>
3.  A copy + paste of the "raw string" generated by a working GET and
a
failing GET are identical except the timestamp and the session
expiration time (of course).  You can test a working GET by removing
the parameters from the URL letting facebook regenerate them.  This way
everything else is identical.
  <br>
  <br>
==> I can only conclude that the fb_sig sent by facebook is being
calculated based on a different order of parameters or excluding some
parameters, but I don''t know how to go about finding which ones (except
brute force yuck).  I can''t find any of the FB pages that offer any
useful advice on this.
  <br>
  <br>
Quick reference:
  <br>
Forms and Hidden Inputs:
<a class="moz-txt-link-freetext"
href="http://wiki.developers.facebook.com/index.php/UsageNotes/Forms">http://wiki.developers.facebook.com/index.php/UsageNotes/Forms</a>
  <br>
How Facebook Authenticates:
<a class="moz-txt-link-freetext"
href="http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application">http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application</a>
  <br>
Verifying the Signature:
<a class="moz-txt-link-freetext"
href="http://wiki.developers.facebook.com/index.php/Verifying_The_Signature">http://wiki.developers.facebook.com/index.php/Verifying_The_Signature</a>
  <br>
  <br>
-Paul
  <br>
_______________________________________________
  <br>
Facebooker-talk mailing list
  <br>
<a class="moz-txt-link-abbreviated"
href="mailto:Facebooker-talk@rubyforge.org">Facebooker-talk@rubyforge.org</a>
  <br>
<a class="moz-txt-link-freetext"
href="http://rubyforge.org/mailman/listinfo/facebooker-talk">http://rubyforge.org/mailman/listinfo/facebooker-talk</a>
  <br>
  <br>
</blockquote>
</body>
</html>

I am also experiencing issues with Incorrect Signatures.  The signatures
that Facebook are passing are of a strange format.  For example:

2:t2lkRVehtrhJWvEMUlny_g__:86400:1226696400-213412341

It seems like a lot of people are experiencing this problem (
http://forum.developers.facebook.com/viewtopic.php?id=24251).

Did Facebook change the format of the session key?

On Thu, Nov 13, 2008 at 1:19 PM, Mike Summers <msummers at
solarpowerme.com>wrote:
>  This just started showing up in a working app, anyone else seeing this?
>
>
> Paul Covell wrote:
>
> Hi, this topic was originally posted here:
>   http://forums.pragprog.com/forums/59/topics/917
>
> Quick summary: forms created method=GET fail with a signature validation
> error:
> Facebooker::Session::IncorrectSignature
> (Facebooker::Session::IncorrectSignature):
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:146:in
> `verify_signature''
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:120:in
> `verified_facebook_params''
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:35:in
> `facebook_params''
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:63:in
> `valid_session_key_in_session?''
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:41:in
> `session_already_secured?''
>
> //////
> This can be reproduced with a small test application:
> rails test
> cd test
> script/plugin install git://github.com/mmangino/facebooker.git
> ruby script/generate controller home index search
>
> views/home/index.fbml.erb:
>
>
> <h1>Home</h1>
> <% form_tag(url_for(:action => :search), {:method=>:get}) do %>
> <p><%= text_field_tag(:keyword, params[:keyword]) %></p>
> <p><fb:submit>Go</fb:submit></p>
> <% end %>
>
> app/controller/application.rb?added immediately below helper :all
>
>   ensure_application_is_installed_by_facebook_user
>   ensure_authenticated_to_facebook
>
> And then I set up my development server and tunnel as I do with normal
> development. The error is the same. Also, if I remove the :method =>
:get,
> the error does not occur.
> //////
>
> I have done some additional digging tonight on the problem, and here is
> what I''ve learned:
>
> 1.  The verify_signature is working correctly (as expected) and calculating
> on all values passed to it --- the calculation is actually rendering a
> result inconsistent with the fb_sig passed to it.
> 2.  The hidden parameters from the form that appear in the URL are being
> faithfully transmitted through Facebook to Facebooker and showing up
> properly in verify_signature
> 3.  A copy + paste of the "raw string" generated by a working GET
and a
> failing GET are identical except the timestamp and the session expiration
> time (of course).  You can test a working GET by removing the parameters
> from the URL letting facebook regenerate them.  This way everything else is
> identical.
>
> ==> I can only conclude that the fb_sig sent by facebook is being
> calculated based on a different order of parameters or excluding some
> parameters, but I don''t know how to go about finding which ones
(except
> brute force yuck).  I can''t find any of the FB pages that offer
any useful
> advice on this.
>
> Quick reference:
> Forms and Hidden Inputs:
> http://wiki.developers.facebook.com/index.php/UsageNotes/Forms
> How Facebook Authenticates:
>
http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
> Verifying the Signature:
> http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
>
> -Paul
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20081113/be11d8f0/attachment.html>

Looks like the Facebook Platform Team is aware of this issue.  You can track
the bug here:

http://bugs.developers.facebook.com/show_bug.cgi?id=3754

On Thu, Nov 13, 2008 at 1:24 PM, Agile Dev <agiledevcool at gmail.com>
wrote:
> I am also experiencing issues with Incorrect Signatures.  The signatures
> that Facebook are passing are of a strange format.  For example:
>
> 2:t2lkRVehtrhJWvEMUlny_g__:86400:1226696400-213412341
>
> It seems like a lot of people are experiencing this problem (
> http://forum.developers.facebook.com/viewtopic.php?id=24251).
>
> Did Facebook change the format of the session key?
>
> On Thu, Nov 13, 2008 at 1:19 PM, Mike Summers <msummers at
solarpowerme.com>wrote:
>
>>  This just started showing up in a working app, anyone else seeing
this?
>>
>>
>> Paul Covell wrote:
>>
>> Hi, this topic was originally posted here:
>>   http://forums.pragprog.com/forums/59/topics/917
>>
>> Quick summary: forms created method=GET fail with a signature
validation
>> error:
>> Facebooker::Session::IncorrectSignature
>> (Facebooker::Session::IncorrectSignature):
>>    
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:146:in
>> `verify_signature''
>>    
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:120:in
>> `verified_facebook_params''
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:35:in
>> `facebook_params''
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:63:in
>> `valid_session_key_in_session?''
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:41:in
>> `session_already_secured?''
>>
>> //////
>> This can be reproduced with a small test application:
>> rails test
>> cd test
>> script/plugin install git://github.com/mmangino/facebooker.git
>> ruby script/generate controller home index search
>>
>> views/home/index.fbml.erb:
>>
>>
>> <h1>Home</h1>
>> <% form_tag(url_for(:action => :search), {:method=>:get}) do
%>
>> <p><%= text_field_tag(:keyword, params[:keyword])
%></p>
>> <p><fb:submit>Go</fb:submit></p>
>> <% end %>
>>
>> app/controller/application.rb?added immediately below helper :all
>>
>>   ensure_application_is_installed_by_facebook_user
>>   ensure_authenticated_to_facebook
>>
>> And then I set up my development server and tunnel as I do with normal
>> development. The error is the same. Also, if I remove the :method =>
:get,
>> the error does not occur.
>> //////
>>
>> I have done some additional digging tonight on the problem, and here is
>> what I''ve learned:
>>
>> 1.  The verify_signature is working correctly (as expected) and
>> calculating on all values passed to it --- the calculation is actually
>> rendering a result inconsistent with the fb_sig passed to it.
>> 2.  The hidden parameters from the form that appear in the URL are
being
>> faithfully transmitted through Facebook to Facebooker and showing up
>> properly in verify_signature
>> 3.  A copy + paste of the "raw string" generated by a working
GET and a
>> failing GET are identical except the timestamp and the session
expiration
>> time (of course).  You can test a working GET by removing the
parameters
>> from the URL letting facebook regenerate them.  This way everything
else is
>> identical.
>>
>> ==> I can only conclude that the fb_sig sent by facebook is being
>> calculated based on a different order of parameters or excluding some
>> parameters, but I don''t know how to go about finding which
ones (except
>> brute force yuck).  I can''t find any of the FB pages that
offer any useful
>> advice on this.
>>
>> Quick reference:
>> Forms and Hidden Inputs:
>> http://wiki.developers.facebook.com/index.php/UsageNotes/Forms
>> How Facebook Authenticates:
>>
http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
>> Verifying the Signature:
>> http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
>>
>> -Paul
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>
>>
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20081113/9c6936fa/attachment-0001.html>

I''m seeing it on both of my production apps.  The only quick fix I  
found is to comment out a couple lines in
verify_signature (vendor/plugins/facebooker/lib/facebooker/rails/ 
controller.rb).  I''m trying to find out what''s going on.

On Nov 13, 2008, at 1:19 PM, Mike Summers wrote:
> This just started showing up in a working app, anyone else seeing  
> this?
>
> Paul Covell wrote:
>>
>> Hi, this topic was originally posted here:
>>   http://forums.pragprog.com/forums/59/topics/917
>>
>> Quick summary: forms created method=GET fail with a signature  
>> validation error:
>> Facebooker::Session::IncorrectSignature  
>> (Facebooker::Session::IncorrectSignature):
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
>> 146:in `verify_signature''
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
>> 120:in `verified_facebook_params''
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
>> 35:in `facebook_params''
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
>> 63:in `valid_session_key_in_session?''
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
>> 41:in `session_already_secured?''
>>
>> //////
>> This can be reproduced with a small test application:
>> rails test
>> cd test
>> script/plugin install git://github.com/mmangino/facebooker.git
>> ruby script/generate controller home index search
>>
>> views/home/index.fbml.erb:
>>
>>
>> <h1>Home</h1>
>> <% form_tag(url_for(:action => :search), {:method=>:get}) do
%>
>> <p><%= text_field_tag(:keyword, params[:keyword])
%></p>
>> <p><fb:submit>Go</fb:submit></p>
>> <% end %>
>>
>> app/controller/application.rb?added immediately below helper :all
>>
>>   ensure_application_is_installed_by_facebook_user
>>   ensure_authenticated_to_facebook
>>
>> And then I set up my development server and tunnel as I do with  
>> normal development. The error is the same. Also, if I remove  
>> the :method => :get, the error does not occur.
>> //////
>>
>> I have done some additional digging tonight on the problem, and  
>> here is what I''ve learned:
>>
>> 1.  The verify_signature is working correctly (as expected) and  
>> calculating on all values passed to it --- the calculation is  
>> actually rendering a result inconsistent with the fb_sig passed to  
>> it.
>> 2.  The hidden parameters from the form that appear in the URL are  
>> being faithfully transmitted through Facebook to Facebooker and  
>> showing up properly in verify_signature
>> 3.  A copy + paste of the "raw string" generated by a working
GET
>> and a failing GET are identical except the timestamp and the  
>> session expiration time (of course).  You can test a working GET by  
>> removing the parameters from the URL letting facebook regenerate  
>> them.  This way everything else is identical.
>>
>> ==> I can only conclude that the fb_sig sent by facebook is being  
>> calculated based on a different order of parameters or excluding  
>> some parameters, but I don''t know how to go about finding
which
>> ones (except brute force yuck).  I can''t find any of the FB
pages
>> that offer any useful advice on this.
>>
>> Quick reference:
>> Forms and Hidden Inputs:
http://wiki.developers.facebook.com/index.php/UsageNotes/Forms
>> How Facebook Authenticates:
http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
>> Verifying the Signature:
http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
>>
>> -Paul
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20081113/3b69960e/attachment.html>

>From the Developers Forum:
> We''ve flipped the sitevar back for now while we investigate this
issue.
>
> Platform Developer Operations & Support

My apps are working now.

On Thu, Nov 13, 2008 at 1:26 PM, Chad Remesch <chad at remesch.com> wrote:
> I''m seeing it on both of my production apps.  The only quick fix I
found is
> to comment out a couple lines inverify_signature
> (vendor/plugins/facebooker/lib/facebooker/rails/controller.rb). 
I''m trying
> to find out what''s going on.
>
> On Nov 13, 2008, at 1:19 PM, Mike Summers wrote:
>
>  This just started showing up in a working app, anyone else seeing this?
>
> Paul Covell wrote:
>
> Hi, this topic was originally posted here:
>   http://forums.pragprog.com/forums/59/topics/917
>
> Quick summary: forms created method=GET fail with a signature validation
> error:
> Facebooker::Session::IncorrectSignature
> (Facebooker::Session::IncorrectSignature):
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:146:in
> `verify_signature''
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:120:in
> `verified_facebook_params''
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:35:in
> `facebook_params''
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:63:in
> `valid_session_key_in_session?''
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:41:in
> `session_already_secured?''
>
> //////
> This can be reproduced with a small test application:
> rails test
> cd test
> script/plugin install git://github.com/mmangino/facebooker.git
> ruby script/generate controller home index search
>
> views/home/index.fbml.erb:
>
>
> <h1>Home</h1>
> <% form_tag(url_for(:action => :search), {:method=>:get}) do %>
> <p><%= text_field_tag(:keyword, params[:keyword]) %></p>
> <p><fb:submit>Go</fb:submit></p>
> <% end %>
>
> app/controller/application.rb?added immediately below helper :all
>
>   ensure_application_is_installed_by_facebook_user
>   ensure_authenticated_to_facebook
>
> And then I set up my development server and tunnel as I do with normal
> development. The error is the same. Also, if I remove the :method =>
:get,
> the error does not occur.
> //////
>
> I have done some additional digging tonight on the problem, and here is
> what I''ve learned:
>
> 1.  The verify_signature is working correctly (as expected) and calculating
> on all values passed to it --- the calculation is actually rendering a
> result inconsistent with the fb_sig passed to it.
> 2.  The hidden parameters from the form that appear in the URL are being
> faithfully transmitted through Facebook to Facebooker and showing up
> properly in verify_signature
> 3.  A copy + paste of the "raw string" generated by a working GET
and a
> failing GET are identical except the timestamp and the session expiration
> time (of course).  You can test a working GET by removing the parameters
> from the URL letting facebook regenerate them.  This way everything else is
> identical.
>
> ==> I can only conclude that the fb_sig sent by facebook is being
> calculated based on a different order of parameters or excluding some
> parameters, but I don''t know how to go about finding which ones
(except
> brute force yuck).  I can''t find any of the FB pages that offer
any useful
> advice on this.
>
> Quick reference:
> Forms and Hidden Inputs:
> http://wiki.developers.facebook.com/index.php/UsageNotes/Forms
> How Facebook Authenticates:
>
http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
> Verifying the Signature:
> http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
>
> -Paul
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>  _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20081113/26088ceb/attachment.html>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000066">
<font face="Helvetica, Arial, sans-serif">We''re back
too... another
lovely day in Facebook land.<br>
<br>
I''m used to this happening every Monday first thing, but Thursday
afternoon? Geez.<br>
</font><br>
Agile Dev wrote:
<blockquote
 cite="mid:ec5eaf130811131331sbdca7d0x65e507dadd648e29@mail.gmail.com"
 type="cite">
  <div class="gmail_quote">From the Developers Forum:<br>
  <blockquote
 style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt
0.8ex; padding-left: 1ex;"
 class="gmail_quote">We''ve flipped the sitevar back for
now while we
investigate this issue. <br>
    <br>
Platform Developer Operations & Support</blockquote>
  <div><br>
My apps are working now. <br>
  </div>
  <br>
On Thu, Nov 13, 2008 at 1:26 PM, Chad Remesch <span
dir="ltr"><<a
 moz-do-not-send="true"
href="mailto:chad@remesch.com">chad@remesch.com</a>></span>
wrote:<br>
  <blockquote class="gmail_quote"
 style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt
0.8ex; padding-left: 1ex;">
    <div style="">I''m seeing it on both of my
production apps. &nbsp;The
only quick fix I found is to comment out a couple lines in
    <div>verify_signature
(vendor/plugins/facebooker/lib/facebooker/rails/controller.rb).
&nbsp;I''m
trying to find out what''s going on.</div>
    <div><br>
    </div>
    <div>
    <div>
    <div class="Wj3C7c">
    <div>On Nov 13, 2008, at 1:19 PM, Mike Summers wrote:</div>
    <br>
    </div>
    </div>
    <blockquote type="cite">
      <div>
      <div class="Wj3C7c">
      <div bgcolor="#ffffff" text="#000066"> <font
 face="Helvetica, Arial, sans-serif">This just started showing up
in a
working app, anyone else seeing this?</font><br>
      <br>
Paul Covell wrote:
      <blockquote type="cite">Hi, this topic was originally
posted
here: <br>
&nbsp; <a moz-do-not-send="true"
 href="http://forums.pragprog.com/forums/59/topics/917"
target="_blank">http://forums.pragprog.com/forums/59/topics/917</a>
        <br>
        <br>
Quick summary: forms created method=GET fail with a signature
validation error: <br>
Facebooker::Session::IncorrectSignature
(Facebooker::Session::IncorrectSignature): <br>
&nbsp;&nbsp;&nbsp;
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:146:in
`verify_signature'' <br>
&nbsp;&nbsp;&nbsp;
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:120:in
`verified_facebook_params'' <br>
&nbsp;&nbsp;&nbsp;
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:35:in
`facebook_params'' <br>
&nbsp;&nbsp;&nbsp;
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:63:in
`valid_session_key_in_session?'' <br>
&nbsp;&nbsp;&nbsp;
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:41:in
`session_already_secured?'' <br>
        <br>
////// <br>
This can be reproduced with a small test application: <br>
rails test <br>
cd test <br>
script/plugin install git://<a moz-do-not-send="true"
 href="http://github.com/mmangino/facebooker.git"
target="_blank">github.com/mmangino/facebooker.git</a>
        <br>
ruby script/generate controller home index search <br>
        <br>
views/home/index.fbml.erb: <br>
        <br>
        <br>
<h1>Home</h1> <br>
<% form_tag(url_for(:action => :search), {:method=>:get}) do
%> <br>
<p><%= text_field_tag(:keyword, params[:keyword])
%></p> <br>
<p><fb:submit>Go</fb:submit></p> <br>
<% end %> <br>
        <br>
app/controller/application.rb—added immediately below helper :all <br>
        <br>
&nbsp; ensure_application_is_installed_by_facebook_user <br>
&nbsp; ensure_authenticated_to_facebook <br>
        <br>
And then I set up my development server and tunnel as I do with normal
development. The error is the same. Also, if I remove the :method =>
:get, the error does not occur. <br>
////// <br>
        <br>
I have done some additional digging tonight on the problem, and here is
what I''ve learned: <br>
        <br>
1.&nbsp; The verify_signature is working correctly (as expected) and
calculating on all values passed to it --- the calculation is actually
rendering a result inconsistent with the fb_sig passed to it. <br>
2.&nbsp; The hidden parameters from the form that appear in the URL are
being faithfully transmitted through Facebook to Facebooker and showing
up properly in verify_signature <br>
3.&nbsp; A copy + paste of the "raw string" generated by a working
GET and a
failing GET are identical except the timestamp and the session
expiration time (of course).&nbsp; You can test a working GET by removing
the parameters from the URL letting facebook regenerate them.&nbsp; This way
everything else is identical. <br>
        <br>
==> I can only conclude that the fb_sig sent by facebook is being
calculated based on a different order of parameters or excluding some
parameters, but I don''t know how to go about finding which ones (except
brute force yuck).&nbsp; I can''t find any of the FB pages that
offer any
useful advice on this. <br>
        <br>
Quick reference: <br>
Forms and Hidden Inputs: <a moz-do-not-send="true"
 href="http://wiki.developers.facebook.com/index.php/UsageNotes/Forms"
 target="_blank">http://wiki.developers.facebook.com/index.php/UsageNotes/Forms</a>
        <br>
How Facebook Authenticates: <a moz-do-not-send="true"
 href="http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application"
 target="_blank">http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application</a>
        <br>
Verifying the Signature: <a moz-do-not-send="true"
 href="http://wiki.developers.facebook.com/index.php/Verifying_The_Signature"
 target="_blank">http://wiki.developers.facebook.com/index.php/Verifying_The_Signature</a>
        <br>
        <br>
-Paul <br>
_______________________________________________ <br>
Facebooker-talk mailing list <br>
        <a moz-do-not-send="true"
 href="mailto:Facebooker-talk@rubyforge.org"
target="_blank">Facebooker-talk@rubyforge.org</a>
        <br>
        <a moz-do-not-send="true"
 href="http://rubyforge.org/mailman/listinfo/facebooker-talk"
 target="_blank">http://rubyforge.org/mailman/listinfo/facebooker-talk</a>
        <br>
        <br>
      </blockquote>
      </div>
      </div>
      </div>
_______________________________________________
      <div class="Ih2E3d"><br>
Facebooker-talk mailing list<br>
      <a moz-do-not-send="true"
 href="mailto:Facebooker-talk@rubyforge.org"
target="_blank">Facebooker-talk@rubyforge.org</a><br>
      <a moz-do-not-send="true"
 href="http://rubyforge.org/mailman/listinfo/facebooker-talk"
 target="_blank">http://rubyforge.org/mailman/listinfo/facebooker-talk</a><br>
      </div>
    </blockquote>
    </div>
    <br>
    </div>
    <br>
_______________________________________________<br>
Facebooker-talk mailing list<br>
    <a moz-do-not-send="true"
 href="mailto:Facebooker-talk@rubyforge.org">Facebooker-talk@rubyforge.org</a><br>
    <a moz-do-not-send="true"
 href="http://rubyforge.org/mailman/listinfo/facebooker-talk"
 target="_blank">http://rubyforge.org/mailman/listinfo/facebooker-talk</a><br>
    <br>
  </blockquote>
  </div>
  <br>
</blockquote>
</body>
</html>

I''m still seeing this behaviour on an app I have in development.

My form (generated using the standard rails form_for) works fine until
I add a :method => :get to the form_for. When submitting a GET form,
the request fails with IncorrectSignature.
>From this thread it looks like the issue was originally caused by a
Facebook change? Is anyone else still seeing this issue? Am I right in
assuming that forms on facebook canvas pages with method="GET" should
normally work fine?

Kind regards,
Lee.


2008/9/26 Paul Covell <pac at alum.mit.edu>:
> Hi, this topic was originally posted here:
>  http://forums.pragprog.com/forums/59/topics/917
>
> Quick summary: forms created method=GET fail with a signature validation
> error:
> Facebooker::Session::IncorrectSignature
> (Facebooker::Session::IncorrectSignature):
>    /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:146:in
> `verify_signature''
>    /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:120:in
> `verified_facebook_params''
>    /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:35:in
> `facebook_params''
>    /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:63:in
> `valid_session_key_in_session?''
>    /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:41:in
> `session_already_secured?''
>
> //////
> This can be reproduced with a small test application:
> rails test
> cd test
> script/plugin install git://github.com/mmangino/facebooker.git
> ruby script/generate controller home index search
>
> views/home/index.fbml.erb:
>
>
> <h1>Home</h1>
> <% form_tag(url_for(:action => :search), {:method=>:get}) do %>
> <p><%= text_field_tag(:keyword, params[:keyword]) %></p>
> <p><fb:submit>Go</fb:submit></p>
> <% end %>
>
> app/controller/application.rb?added immediately below helper :all
>
>  ensure_application_is_installed_by_facebook_user
>  ensure_authenticated_to_facebook
>
> And then I set up my development server and tunnel as I do with normal
> development. The error is the same. Also, if I remove the :method =>
:get,
> the error does not occur.
> //////
>
> I have done some additional digging tonight on the problem, and here is
what
> I''ve learned:
>
> 1.  The verify_signature is working correctly (as expected) and calculating
> on all values passed to it --- the calculation is actually rendering a
> result inconsistent with the fb_sig passed to it.
> 2.  The hidden parameters from the form that appear in the URL are being
> faithfully transmitted through Facebook to Facebooker and showing up
> properly in verify_signature
> 3.  A copy + paste of the "raw string" generated by a working GET
and a
> failing GET are identical except the timestamp and the session expiration
> time (of course).  You can test a working GET by removing the parameters
> from the URL letting facebook regenerate them.  This way everything else is
> identical.
>
> ==> I can only conclude that the fb_sig sent by facebook is being
calculated
> based on a different order of parameters or excluding some parameters, but
I
> don''t know how to go about finding which ones (except brute force
yuck).  I
> can''t find any of the FB pages that offer any useful advice on
this.
>
> Quick reference:
> Forms and Hidden Inputs:
> http://wiki.developers.facebook.com/index.php/UsageNotes/Forms
> How Facebook Authenticates:
>
http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
> Verifying the Signature:
> http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
>
> -Paul
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>


-- 
Lee Mallabone.
Crossbone Systems Ltd.

http://www.crossbonesystems.com/
http://www.fonicmonkey.net/
http://CambridgeWebHeads.ning.com/