<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">This is related to the message I sent yesterday. You're probably getting <div>the error when facebook pings your post-auth url.<div><div><br></div><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>stumbling around a little, I found this discussion from march, which advocated</div><div>skipping the verify_authenticity_token for your callback url from facebook:</div><div><br></div><div><a href="http://rubyforge.org/pipermail/facebooker-talk/2008-March/000456.html">http://rubyforge.org/pipermail/facebooker-talk/2008-March/000456.html</a></div><div><br></div><div>I didn't have any problem taking the standard approach in my controller:</div><div> skip_before_filter :verify_authenticity_token, :only=>[:post-auth-url, :post-remove-url]</div><div><br></div></div></div><div>and as you said, as long as you're verifying the signature in these functions, </div><div>it shouldn't be a security concern.</div><div><br></div><div><br><div><div>On Jan 6, 2009, at 10:24 PM, George Deglin wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="font-size:12px; color:#999; font-family: 'Lucida Grande', Helvetica, Arial, sans-serif; "> George Deglin (<a href="mailto:george@xapblog.com">george@xapblog.com</a>) requested to be added to <a style="text-decoration:none;color:#5e96ea;" href="http://www.boxbe.com/approved-list">your Guest List</a> | <a style="text-decoration:none;color:#5e96ea;" href="https://www.boxbe.com/policy_update?sender=george@xapblog.com">Approve sender</a> <img src="https://www.boxbe.com/images/bullet1_s.png" width="10px" style="margin-left:5px;"><br> </div> For quite a while now users on my application have seemingly randomly experienced authenticity token failures. I think I may have seen them a couple times myself.<br><br>The error is as follows:<br>ActionController::<div id=":1ii" class="ArwC7c ckChnd"> InvalidAuthenticityToken<br> /home/deploy/.gem/ruby/1.8/gems/actionpack-2.2.2/lib/action_controller/request_forgery_protection.rb:86:in `verify_authenticity_token'<br></div><br>There does not appear to be any specific action that causes them, and usually users get through on their second attempt.<br> <br>After looking through the error and request logs I am completely at a loss to how this could happen. All parameters seem to be correct and users do get through after trying again. There is a minimal delay between when the form is generated and the user submits it.<br> <br>Here is a sample of the parameters of one of the failing requests. (Some parameters have been obfuscated). As you can see, the authenticity_token is present.<br>Parameters: {"format"=>"fbml", "commit"=>"Continue", "fb_sig_time"=>"1231261212.664", "fb_sig"=>"828a350a3b6ade0223b0eeb911a51248", "fb_sig_in_new_facebook"=>"1", "authenticity_token"=>"87149fbbb58318eb7b85f20b5b0cf2a75fa78a47", "fb_sig_locale"=>"en_US", "action"=>"create", "object1"=>{"prameter1"=>"***", "parameter2"=>"***"}, "fb_sig_position_fix"=>"1", "fb_sig_in_canvas"=>"1", "fb_sig_session_key"=>"2.gvXYwPbU_5_RNd3GQLjg9A__.86400.1231351200-***", "fb_sig_request_method"=>"POST", "controller"=>"***", "fb_sig_expires"=>"1231351200", "fb_sig_friends"=>"***", "fb_sig_added"=>"1", "fb_sig_api_key"=>"4ea2871be8fb71d66673d3692d94c6bc", "fb_sig_user"=>"***", "fb_sig_profile_update_time"=>"1230057986"}<br> <br>Does anyone have any idea how this could happen? After considering things for a while I am wondering if CSRF protection is even necessary on Facebook applications since users could be validated through the fb_sig_session_key.<br> _______________________________________________<br>Facebooker-talk mailing list<br><a href="mailto:Facebooker-talk@rubyforge.org">Facebooker-talk@rubyforge.org</a><br>http://rubyforge.org/mailman/listinfo/facebooker-talk<br></blockquote></div><br></div></div></div></body></html>