[Facebooker-talk] Random authenticity token failures *

kevin lochner klochner at gmail.com
Wed Jan 7 12:04:48 EST 2009 

This is related to the message I sent yesterday.  You're probably  
getting
the error when facebook pings your post-auth url.

stumbling around a little, I found this discussion from march, which  
advocated
skipping the verify_authenticity_token for your callback url from  
facebook:

http://rubyforge.org/pipermail/facebooker-talk/2008-March/000456.html

I didn't have any problem taking the standard approach in my controller:
    skip_before_filter :verify_authenticity_token, :only=>[:post-auth- 
url, :post-remove-url]

and as you said, as long as you're verifying the signature in these  
functions,
it shouldn't be a security concern.


On Jan 6, 2009, at 10:24 PM, George Deglin wrote:

> George Deglin (george at xapblog.com) requested to be added to your  
> Guest List | Approve sender
> For quite a while now users on my application have seemingly  
> randomly experienced authenticity token failures. I think I may have  
> seen them a couple times myself.
>
> The error is as follows:
> ActionController::
> InvalidAuthenticityToken
>  /home/deploy/.gem/ruby/1.8/gems/actionpack-2.2.2/lib/ 
> action_controller/request_forgery_protection.rb:86:in  
> `verify_authenticity_token'
>
> There does not appear to be any specific action that causes them,  
> and usually users get through on their second attempt.
>
> After looking through the error and request logs I am completely at  
> a loss to how this could happen. All parameters seem to be correct  
> and users do get through after trying again. There is a minimal  
> delay between when the form is generated and the user submits it.
>
> Here is a sample of the parameters of one of the failing requests.  
> (Some parameters have been obfuscated). As you can see, the  
> authenticity_token is present.
> Parameters: {"format"=>"fbml", "commit"=>"Continue",  
> "fb_sig_time"=>"1231261212.664",  
> "fb_sig"=>"828a350a3b6ade0223b0eeb911a51248",  
> "fb_sig_in_new_facebook"=>"1",  
> "authenticity_token"=>"87149fbbb58318eb7b85f20b5b0cf2a75fa78a47",  
> "fb_sig_locale"=>"en_US", "action"=>"create",  
> "object1"=>{"prameter1"=>"***", "parameter2"=>"***"},  
> "fb_sig_position_fix"=>"1", "fb_sig_in_canvas"=>"1",  
> "fb_sig_session_key"=>"2.gvXYwPbU_5_RNd3GQLjg9A__.86400.1231351200- 
> ***", "fb_sig_request_method"=>"POST", "controller"=>"***",  
> "fb_sig_expires"=>"1231351200", "fb_sig_friends"=>"***",  
> "fb_sig_added"=>"1",  
> "fb_sig_api_key"=>"4ea2871be8fb71d66673d3692d94c6bc",  
> "fb_sig_user"=>"***", "fb_sig_profile_update_time"=>"1230057986"}
>
> Does anyone have any idea how this could happen? After considering  
> things for a while I am wondering if CSRF protection is even  
> necessary on Facebook applications since users could be validated  
> through the fb_sig_session_key.
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090107/f254bfca/attachment.html>

More information about the Facebooker-talk mailing list