We're having the same issue in our app, occurs sporadically in our
logs - but I believe the cause with us is that:

We're generating nonce values as a timestamp seeded sequence of random
numbers
We're creating an instance of the Oauth class that does this for each
logged in user for the app

Thus, for a single timestamp, it IS possible that the time seeded
nonce values are the same....

So - corrrective action being trialled: I'm prefixing the 'random'
nonce value with the userID stripped from the start of the token,
padded to a fixed length of chars... this should guarantee then that
the nonce/timestamp combo is indeed unique for every request made from
our app ....


Simon

On Aug 11, 6:45 am, Dan Borthwick <dan.borthw...@playfish.com> wrote:
> For our app, we successfully call request_token from our server. When
> we then call statuses/update from the client, we get a 401 'Invalid /
> usednonce' response. If the request_token call comes directly from
> the client, the update call succeeds.
>
> The nonces have been sanity checked and are definitely different for
> each call. GET requests to users/show succeed regardless of whether
> the request_token comes from the proxy server or client. Code is based
> on MGTwitterEngine-1.0.8-OAuth.
>
> The same code was working ok prior to the recent DoS downtime. Perhaps
> something has been changed on Twitter's side that might result in the
> 401 response?
>
> On Aug 11, 8:38 am, graceawalker <grace_blo...@hotmail.com> wrote:
>
>
>
> > No, mynonceis definately new every time. Surely if there was
> > something wrong with the way it was being generated it would error
> > during requestToken/accessToken/VerifyCredentials too?? All the code
> > ive looked through is doing it exactly the same way. Is the 'status'
> > parameter being used just like all the oauth parameters? is an
> > 'invalidnonce' error, definately an invalidnonceor could it be to
> > do with the timestamp and timezones. Clutching at straws here...
>
> > On Aug 11, 3:12 am, Chris Babcock <cbabc...@asciiking.com> wrote:
>
> > > On Mon, 10 Aug 2009 04:14:43 -0700 (PDT)
>
> > > graceawalker <grace_blo...@hotmail.com> wrote:
> > > > I am calling and getting the whole way up to getting the access token
> > > > just fine in my app (one im writing myself in c#), but when i try and
> > > > call the update status URL im getting an 'Invalid/usednonce' error in
> > > > my response data. Im not sure why this is, im calling the update
> > > > method in the exact same way that i called request token apart from
> > > > the new 'status' parameter in the query string. I call 'verify
> > > > credentials' with my access token to ensure that it is working and it
> > > > sends me back all of the correct data, but it is erroring when trying
> > > > to update my status. Is there any obvious solution to this, or am i
> > > > not supposed to be signing and organising the parameters in the same
> > > > way that i did before? Im really stuck here guys and need help!
>
> > > Right, thenonceis a "number used once". Its purpose is to prevent
> > > replay attacks. If you use the samenoncefor more than one call to the
> > > API then you *should* be getting an error.
>
> > > Chris- Hide quoted text -
>
> - Show quoted text -

Reply via email to