kevin lochner
2009-Jan-07 17:04 UTC
[Facebooker-talk] Random authenticity token failures *
This is related to the message I sent yesterday. You''re probably getting the error when facebook pings your post-auth url. stumbling around a little, I found this discussion from march, which advocated skipping the verify_authenticity_token for your callback url from facebook: http://rubyforge.org/pipermail/facebooker-talk/2008-March/000456.html I didn''t have any problem taking the standard approach in my controller: skip_before_filter :verify_authenticity_token, :only=>[:post-auth- url, :post-remove-url] and as you said, as long as you''re verifying the signature in these functions, it shouldn''t be a security concern. On Jan 6, 2009, at 10:24 PM, George Deglin wrote:> George Deglin (george at xapblog.com) requested to be added to your > Guest List | Approve sender > For quite a while now users on my application have seemingly > randomly experienced authenticity token failures. I think I may have > seen them a couple times myself. > > The error is as follows: > ActionController:: > InvalidAuthenticityToken > /home/deploy/.gem/ruby/1.8/gems/actionpack-2.2.2/lib/ > action_controller/request_forgery_protection.rb:86:in > `verify_authenticity_token'' > > There does not appear to be any specific action that causes them, > and usually users get through on their second attempt. > > After looking through the error and request logs I am completely at > a loss to how this could happen. All parameters seem to be correct > and users do get through after trying again. There is a minimal > delay between when the form is generated and the user submits it. > > Here is a sample of the parameters of one of the failing requests. > (Some parameters have been obfuscated). As you can see, the > authenticity_token is present. > Parameters: {"format"=>"fbml", "commit"=>"Continue", > "fb_sig_time"=>"1231261212.664", > "fb_sig"=>"828a350a3b6ade0223b0eeb911a51248", > "fb_sig_in_new_facebook"=>"1", > "authenticity_token"=>"87149fbbb58318eb7b85f20b5b0cf2a75fa78a47", > "fb_sig_locale"=>"en_US", "action"=>"create", > "object1"=>{"prameter1"=>"***", "parameter2"=>"***"}, > "fb_sig_position_fix"=>"1", "fb_sig_in_canvas"=>"1", > "fb_sig_session_key"=>"2.gvXYwPbU_5_RNd3GQLjg9A__.86400.1231351200- > ***", "fb_sig_request_method"=>"POST", "controller"=>"***", > "fb_sig_expires"=>"1231351200", "fb_sig_friends"=>"***", > "fb_sig_added"=>"1", > "fb_sig_api_key"=>"4ea2871be8fb71d66673d3692d94c6bc", > "fb_sig_user"=>"***", "fb_sig_profile_update_time"=>"1230057986"} > > Does anyone have any idea how this could happen? After considering > things for a while I am wondering if CSRF protection is even > necessary on Facebook applications since users could be validated > through the fb_sig_session_key. > _______________________________________________ > Facebooker-talk mailing list > Facebooker-talk at rubyforge.org > http://rubyforge.org/mailman/listinfo/facebooker-talk-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090107/f254bfca/attachment.html>