[Facebooker-talk] Form method=get signature failure

Agile Dev agiledevcool at gmail.com
Thu Nov 13 16:26:00 EST 2008 

Looks like the Facebook Platform Team is aware of this issue.  You can track
the bug here:

http://bugs.developers.facebook.com/show_bug.cgi?id=3754

On Thu, Nov 13, 2008 at 1:24 PM, Agile Dev <agiledevcool at gmail.com> wrote:

> I am also experiencing issues with Incorrect Signatures.  The signatures
> that Facebook are passing are of a strange format.  For example:
>
> 2:t2lkRVehtrhJWvEMUlny_g__:86400:1226696400-213412341
>
> It seems like a lot of people are experiencing this problem (
> http://forum.developers.facebook.com/viewtopic.php?id=24251).
>
> Did Facebook change the format of the session key?
>
> On Thu, Nov 13, 2008 at 1:19 PM, Mike Summers <msummers at solarpowerme.com>wrote:
>
>>  This just started showing up in a working app, anyone else seeing this?
>>
>>
>> Paul Covell wrote:
>>
>> Hi, this topic was originally posted here:
>>   http://forums.pragprog.com/forums/59/topics/917
>>
>> Quick summary: forms created method=GET fail with a signature validation
>> error:
>> Facebooker::Session::IncorrectSignature
>> (Facebooker::Session::IncorrectSignature):
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:146:in
>> `verify_signature'
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:120:in
>> `verified_facebook_params'
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:35:in
>> `facebook_params'
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:63:in
>> `valid_session_key_in_session?'
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:41:in
>> `session_already_secured?'
>>
>> //////
>> This can be reproduced with a small test application:
>> rails test
>> cd test
>> script/plugin install git://github.com/mmangino/facebooker.git
>> ruby script/generate controller home index search
>>
>> views/home/index.fbml.erb:
>>
>>
>> <h1>Home</h1>
>> <% form_tag(url_for(:action => :search), {:method=>:get}) do %>
>> <p><%= text_field_tag(:keyword, params[:keyword]) %></p>
>> <p><fb:submit>Go</fb:submit></p>
>> <% end %>
>>
>> app/controller/application.rb—added immediately below helper :all
>>
>>   ensure_application_is_installed_by_facebook_user
>>   ensure_authenticated_to_facebook
>>
>> And then I set up my development server and tunnel as I do with normal
>> development. The error is the same. Also, if I remove the :method => :get,
>> the error does not occur.
>> //////
>>
>> I have done some additional digging tonight on the problem, and here is
>> what I've learned:
>>
>> 1.  The verify_signature is working correctly (as expected) and
>> calculating on all values passed to it --- the calculation is actually
>> rendering a result inconsistent with the fb_sig passed to it.
>> 2.  The hidden parameters from the form that appear in the URL are being
>> faithfully transmitted through Facebook to Facebooker and showing up
>> properly in verify_signature
>> 3.  A copy + paste of the "raw string" generated by a working GET and a
>> failing GET are identical except the timestamp and the session expiration
>> time (of course).  You can test a working GET by removing the parameters
>> from the URL letting facebook regenerate them.  This way everything else is
>> identical.
>>
>> ==> I can only conclude that the fb_sig sent by facebook is being
>> calculated based on a different order of parameters or excluding some
>> parameters, but I don't know how to go about finding which ones (except
>> brute force yuck).  I can't find any of the FB pages that offer any useful
>> advice on this.
>>
>> Quick reference:
>> Forms and Hidden Inputs:
>> http://wiki.developers.facebook.com/index.php/UsageNotes/Forms
>> How Facebook Authenticates:
>> http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
>> Verifying the Signature:
>> http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
>>
>> -Paul
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>
>>
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20081113/9c6936fa/attachment-0001.html>

More information about the Facebooker-talk mailing list