[Facebooker-talk] forgery Protection

Mike Mangino mmangino at elevatedrails.com
Thu Aug 21 10:45:26 EDT 2008 

Ah, okay. You'll definitely need to disable forgery protection for the  
install and uninstall actions since Bebo/Facebook can't possibly send  
that value. I personally disable it for all actions since the fb_sig  
serves the same purpose.

Mike

On Aug 21, 2008, at 10:35 AM, Dara wrote:

> FYI, the below log snippet I posted earlier is the wrong trace  
> segment.
> Apologies.
> This is the correct log segment:
>
>
> Processing LeaveController#index (for 208.75.184.192 at 2008-08-21  
> 15:24:37) [POST]
> Session ID: xxxxxxxxxxxxxxx
> Parameters: {"fb_sig_time"=>"11111111111", "fb_sig"=>"AAAAAAAAA",  
> "action"=>"index", "fb_sig_call_id"=>"1111111111111",  
> "controller"=>"leave", "fb_sig_network"=>"Bebo",  
> "fb_sig_added"=>"0", "fb_sig_api_key"=>"BBBBBBBB",  
> "fb_sig_uninstall"=>"1", "fb_sig_user"=>"CCCCCCCC"}
>
>
> ActionController::InvalidAuthenticityToken  
> (ActionController::InvalidAuthenticityToken):
>  /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/actionpack-2.1.0/ 
> lib/action_controller/request_forgery_protection.rb:86:in  
> `verify_authenticity_token'
>  /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
> activesupport-2.1.0/lib/active_support/callbacks.rb:173:in `send'
>  /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
> activesupport-2.1.0/lib/active_support/callbacks.rb:173:in  
> `evaluate_method'
>  /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
> activesupport-2.1.0/lib/active_support/callbacks.rb:161:in `call'
>  /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/actionpack-2.1.0/ 
> lib/action_controller/filters.rb:430:in `call'
>  /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/actionpack-2.1.0/ 
> lib/action_controller/filters.rb:592:in `run_before_filters'
>  /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/actionpack-2.1.0/ 
> lib/action_controller/filters.rb:578:in `call_filters'
>  /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/actionpack-2.1.0/ 
> lib/action_controller/filters.rb:573:in  
> `perform_action_without_benchmark'
>  /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/actionpack-2.1.0/ 
> lib/action_controller/benchmarking.rb:68:in  
> `perform_action_without_rescue'
>  /home/dara/apps/ruby-1.8.6/lib/ruby/1.8/benchmark.rb:293:in `measure'
>  ...
>
>
> Dara wrote:
>> Has anybody solved this issue. [ http://rubyforge.org/pipermail/facebooker-talk/2008-April/000552.html 
>>  ] ?
>>
>> NameError (undefined local variable or method `controller' for  
>> #<LeaveController:0xb7144abc>):
>>   /app/controllers/application.rb:24:in `verify_authenticity_token'
>>   /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
>> activesupport-2.1.0/lib/active_support/callbacks.rb:173:in `send'
>>   /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
>> activesupport-2.1.0/lib/active_support/callbacks.rb:173:in  
>> `evaluate_method'
>>   /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
>> activesupport-2.1.0/lib/active_support/callbacks.rb:161:in `call'
>>   /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
>> actionpack-2.1.0/lib/action_controller/filters.rb:430:in `call'
>>   /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
>> actionpack-2.1.0/lib/action_controller/filters.rb:592:in  
>> `run_before_filters'
>>   /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
>> actionpack-2.1.0/lib/action_controller/filters.rb:578:in  
>> `call_filters'
>>   /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
>> actionpack-2.1.0/lib/action_controller/filters.rb:573:in  
>> `perform_action_without_benchmark'
>>   /home/dara/apps/ruby-1.8.6/lib/ruby/gems/1.8/gems/ 
>> actionpack-2.1.0/lib/action_controller/benchmarking.rb:68:in  
>> `perform_action_without_rescue'
>>   /home/dara/apps/ruby-1.8.6/lib/ruby/1.8/benchmark.rb:293:in  
>> `measure'
>>
>> I don't have the secret commented in the environment either.
>>
>> Should I be trying to disable forgery protection for certain calls  
>> from facebook/bebo ?
>>
>> Cheers
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk

--
Mike Mangino
http://www.elevatedrails.com

More information about the Facebooker-talk mailing list