We have also been seeing similar behaviour for our iPhone app based on
MGTwitterEngine-1.0.8-OAuth.

If we call request_token from the client followed by statuses/update,
everything works ok. However, if we send the request_token from our
server, then statuses/update from the client, a 401 Invalid / used
nonce is returned.

GET requests to users/show work in either case.

The same code was working ok prior to the recent DoS problems, so
perhaps something has changed on Twitter's side?


On Aug 11, 8:38 am, graceawalker <grace_blo...@hotmail.com> wrote:
> No, my nonce is definately new every time. Surely if there was
> something wrong with the way it was being generated it would error
> during requestToken/accessToken/VerifyCredentials too?? All the code
> ive looked through is doing it exactly the same way. Is the 'status'
> parameter being used just like all the oauth parameters? is an
> 'invalid nonce' error, definately an invalid nonce or could it be to
> do with the timestamp and timezones. Clutching at straws here...
>
> On Aug 11, 3:12 am, Chris Babcock <cbabc...@asciiking.com> wrote:
>
> > On Mon, 10 Aug 2009 04:14:43 -0700 (PDT)
>
> > graceawalker <grace_blo...@hotmail.com> wrote:
> > > I am calling and getting the whole way up to getting the access token
> > > just fine in my app (one im writing myself in c#), but when i try and
> > > call the update status URL im getting an 'Invalid/used nonce' error in
> > > my response data. Im not sure why this is, im calling the update
> > > method in the exact same way that i called request token apart from
> > > the new 'status' parameter in the query string. I call 'verify
> > > credentials' with my access token to ensure that it is working and it
> > > sends me back all of the correct data, but it is erroring when trying
> > > to update my status. Is there any obvious solution to this, or am i
> > > not supposed to be signing and organising the parameters in the same
> > > way that i did before? Im really stuck here guys and need help!
>
> > Right, the nonce is a "number used once". Its purpose is to prevent
> > replay attacks. If you use the same nonce for more than one call to the
> > API then you *should* be getting an error.
>
> > Chris

Reply via email to