Facebooker talk - Jan 2009 - Random authenticity token failures *

This is related to the message I sent yesterday.  You''re probably  
getting
the error when facebook pings your post-auth url.

stumbling around a little, I found this discussion from march, which  
advocated
skipping the verify_authenticity_token for your callback url from  
facebook:

http://rubyforge.org/pipermail/facebooker-talk/2008-March/000456.html

I didn''t have any problem taking the standard approach in my
controller:
    skip_before_filter :verify_authenticity_token, :only=>[:post-auth- 
url, :post-remove-url]

and as you said, as long as you''re verifying the signature in these  
functions,
it shouldn''t be a security concern.


On Jan 6, 2009, at 10:24 PM, George Deglin wrote:
> George Deglin (george at xapblog.com) requested to be added to your  
> Guest List | Approve sender
> For quite a while now users on my application have seemingly  
> randomly experienced authenticity token failures. I think I may have  
> seen them a couple times myself.
>
> The error is as follows:
> ActionController::
> InvalidAuthenticityToken
>  /home/deploy/.gem/ruby/1.8/gems/actionpack-2.2.2/lib/ 
> action_controller/request_forgery_protection.rb:86:in  
> `verify_authenticity_token''
>
> There does not appear to be any specific action that causes them,  
> and usually users get through on their second attempt.
>
> After looking through the error and request logs I am completely at  
> a loss to how this could happen. All parameters seem to be correct  
> and users do get through after trying again. There is a minimal  
> delay between when the form is generated and the user submits it.
>
> Here is a sample of the parameters of one of the failing requests.  
> (Some parameters have been obfuscated). As you can see, the  
> authenticity_token is present.
> Parameters: {"format"=>"fbml",
"commit"=>"Continue",
> "fb_sig_time"=>"1231261212.664",  
> "fb_sig"=>"828a350a3b6ade0223b0eeb911a51248",  
> "fb_sig_in_new_facebook"=>"1",  
>
"authenticity_token"=>"87149fbbb58318eb7b85f20b5b0cf2a75fa78a47",
> "fb_sig_locale"=>"en_US",
"action"=>"create",
> "object1"=>{"prameter1"=>"***",
"parameter2"=>"***"},
> "fb_sig_position_fix"=>"1",
"fb_sig_in_canvas"=>"1",
>
"fb_sig_session_key"=>"2.gvXYwPbU_5_RNd3GQLjg9A__.86400.1231351200-
> ***", "fb_sig_request_method"=>"POST",
"controller"=>"***",
> "fb_sig_expires"=>"1231351200",
"fb_sig_friends"=>"***",
> "fb_sig_added"=>"1",  
>
"fb_sig_api_key"=>"4ea2871be8fb71d66673d3692d94c6bc",
> "fb_sig_user"=>"***",
"fb_sig_profile_update_time"=>"1230057986"}
>
> Does anyone have any idea how this could happen? After considering  
> things for a while I am wondering if CSRF protection is even  
> necessary on Facebook applications since users could be validated  
> through the fb_sig_session_key.
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20090107/f254bfca/attachment.html>