For quite a while now users on my application have seemingly randomly
experienced authenticity token failures. I think I may have seen them a
couple times myself.
The error is as follows:
ActionController::InvalidAuthenticityToken
/home/deploy/.gem/ruby/1.8/gems/actionpack-2.2.2/lib/action_controller/request_forgery_protection.rb:86:in
`verify_authenticity_token''
There does not appear to be any specific action that causes them, and
usually users get through on their second attempt.
After looking through the error and request logs I am completely at a loss
to how this could happen. All parameters seem to be correct and users do get
through after trying again. There is a minimal delay between when the form
is generated and the user submits it.
Here is a sample of the parameters of one of the failing requests. (Some
parameters have been obfuscated). As you can see, the authenticity_token is
present.
Parameters: {"format"=>"fbml",
"commit"=>"Continue",
"fb_sig_time"=>"1231261212.664",
"fb_sig"=>"828a350a3b6ade0223b0eeb911a51248",
"fb_sig_in_new_facebook"=>"1",
"authenticity_token"=>"87149fbbb58318eb7b85f20b5b0cf2a75fa78a47",
"fb_sig_locale"=>"en_US",
"action"=>"create",
"object1"=>{"prameter1"=>"***",
"parameter2"=>"***"},
"fb_sig_position_fix"=>"1",
"fb_sig_in_canvas"=>"1",
"fb_sig_session_key"=>"2.gvXYwPbU_5_RNd3GQLjg9A__.86400.1231351200-***",
"fb_sig_request_method"=>"POST",
"controller"=>"***",
"fb_sig_expires"=>"1231351200",
"fb_sig_friends"=>"***",
"fb_sig_added"=>"1",
"fb_sig_api_key"=>"4ea2871be8fb71d66673d3692d94c6bc",
"fb_sig_user"=>"***",
"fb_sig_profile_update_time"=>"1230057986"}
Does anyone have any idea how this could happen? After considering things
for a while I am wondering if CSRF protection is even necessary on Facebook
applications since users could be validated through the fb_sig_session_key.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20090106/d4e459f2/attachment.html>