Looks like the Facebook Platform Team is aware of this issue. You can track the bug here:<br><br><a href="http://bugs.developers.facebook.com/show_bug.cgi?id=3754">http://bugs.developers.facebook.com/show_bug.cgi?id=3754</a><br>
<br><div class="gmail_quote">On Thu, Nov 13, 2008 at 1:24 PM, Agile Dev <span dir="ltr"><<a href="mailto:agiledevcool@gmail.com">agiledevcool@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I am also experiencing issues with Incorrect Signatures. The signatures that Facebook are passing are of a strange format. For example:<br><br>2:t2lkRVehtrhJWvEMUlny_g__:86400:1226696400-213412341<br><br>It seems like a lot of people are experiencing this problem (<a href="http://forum.developers.facebook.com/viewtopic.php?id=24251" target="_blank">http://forum.developers.facebook.com/viewtopic.php?id=24251</a>).<br>
<br>Did Facebook change the format of the session key?<br><br><div class="gmail_quote"><div><div></div><div class="Wj3C7c">On Thu, Nov 13, 2008 at 1:19 PM, Mike Summers <span dir="ltr"><<a href="mailto:msummers@solarpowerme.com" target="_blank">msummers@solarpowerme.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div class="Wj3C7c">
<div bgcolor="#ffffff" text="#000066">
<font face="Helvetica, Arial, sans-serif">This just started showing up
in a working app, anyone else seeing this?</font><div><div></div><div><br>
<br>
Paul Covell wrote:
<blockquote type="cite">Hi, this topic was originally posted here:
<br>
<a href="http://forums.pragprog.com/forums/59/topics/917" target="_blank">http://forums.pragprog.com/forums/59/topics/917</a>
<br>
<br>
Quick summary: forms created method=GET fail with a signature
validation error:
<br>
Facebooker::Session::IncorrectSignature
(Facebooker::Session::IncorrectSignature):
<br>
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:146:in
`verify_signature'
<br>
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:120:in
`verified_facebook_params'
<br>
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:35:in
`facebook_params'
<br>
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:63:in
`valid_session_key_in_session?'
<br>
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:41:in
`session_already_secured?'
<br>
<br>
//////
<br>
This can be reproduced with a small test application:
<br>
rails test
<br>
cd test
<br>
script/plugin install git://<a href="http://github.com/mmangino/facebooker.git" target="_blank">github.com/mmangino/facebooker.git</a>
<br>
ruby script/generate controller home index search
<br>
<br>
views/home/index.fbml.erb:
<br>
<br>
<br>
<h1>Home</h1>
<br>
<% form_tag(url_for(:action => :search), {:method=>:get}) do
%>
<br>
<p><%= text_field_tag(:keyword, params[:keyword])
%></p>
<br>
<p><fb:submit>Go</fb:submit></p>
<br>
<% end %>
<br>
<br>
app/controller/application.rb—added immediately below helper :all
<br>
<br>
ensure_application_is_installed_by_facebook_user
<br>
ensure_authenticated_to_facebook
<br>
<br>
And then I set up my development server and tunnel as I do with normal
development. The error is the same. Also, if I remove the :method =>
:get, the error does not occur.
<br>
//////
<br>
<br>
I have done some additional digging tonight on the problem, and here is
what I've learned:
<br>
<br>
1. The verify_signature is working correctly (as expected) and
calculating on all values passed to it --- the calculation is actually
rendering a result inconsistent with the fb_sig passed to it.
<br>
2. The hidden parameters from the form that appear in the URL are
being faithfully transmitted through Facebook to Facebooker and showing
up properly in verify_signature
<br>
3. A copy + paste of the "raw string" generated by a working GET and a
failing GET are identical except the timestamp and the session
expiration time (of course). You can test a working GET by removing
the parameters from the URL letting facebook regenerate them. This way
everything else is identical.
<br>
<br>
==> I can only conclude that the fb_sig sent by facebook is being
calculated based on a different order of parameters or excluding some
parameters, but I don't know how to go about finding which ones (except
brute force yuck). I can't find any of the FB pages that offer any
useful advice on this.
<br>
<br>
Quick reference:
<br>
Forms and Hidden Inputs:
<a href="http://wiki.developers.facebook.com/index.php/UsageNotes/Forms" target="_blank">http://wiki.developers.facebook.com/index.php/UsageNotes/Forms</a>
<br>
How Facebook Authenticates:
<a href="http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application" target="_blank">http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application</a>
<br>
Verifying the Signature:
<a href="http://wiki.developers.facebook.com/index.php/Verifying_The_Signature" target="_blank">http://wiki.developers.facebook.com/index.php/Verifying_The_Signature</a>
<br>
<br>
-Paul
<br>
_______________________________________________
<br>
Facebooker-talk mailing list
<br>
<a href="mailto:Facebooker-talk@rubyforge.org" target="_blank">Facebooker-talk@rubyforge.org</a>
<br>
<a href="http://rubyforge.org/mailman/listinfo/facebooker-talk" target="_blank">http://rubyforge.org/mailman/listinfo/facebooker-talk</a>
<br>
<br>
</blockquote>
</div></div></div>
<br></div></div>_______________________________________________<div class="Ih2E3d"><br>
Facebooker-talk mailing list<br>
<a href="mailto:Facebooker-talk@rubyforge.org" target="_blank">Facebooker-talk@rubyforge.org</a><br>
<a href="http://rubyforge.org/mailman/listinfo/facebooker-talk" target="_blank">http://rubyforge.org/mailman/listinfo/facebooker-talk</a><br>
<br></div></blockquote></div><br>
</blockquote></div><br>