The interesting thing with my situation is that I'm still in development, so there's only a single person (me) hitting the app. Further, I'm only attempting a single call to Twitter.
Also, I get a 401 on everything that requires authentication, but not on something like a rateLimitStatus check. Further, a call to /followers/ids.xml *works* on my local dev box, but not on the production server. The only difference I can think of would be IP address. I've been able to trace 3 separate requests being generated by Twitter4J and here are the values: [Wed Aug 12 10:19:56 PDT 2009] oauth_timestamp="1250097596",oauth_nonce="329444963" [Wed Aug 12 10:20:20 PDT 2009] oauth_timestamp="1250097620",oauth_nonce="173112023" [Wed Aug 12 10:24:39 PDT 2009] oauth_timestamp="1250097879",oauth_nonce="3202768030" Each timestamp is larger than the last and each nonce is unique. Knowing that my values are legit makes me think there's another problem, but Twitter hasn't responded to my api@ email. Rob O'Brien Web Application Developer & Consultant r...@zepoid.com -----Original Message----- From: twitter-development-talk@googlegroups.com [mailto:twitter-development-t...@googlegroups.com] On Behalf Of Zaudio Sent: Tuesday, August 11, 2009 12:04 PM To: Twitter Development Talk Subject: [twitter-dev] Re: Invalid / used nonce We're having the same issue in our app, occurs sporadically in our logs - but I believe the cause with us is that: We're generating nonce values as a timestamp seeded sequence of random numbers We're creating an instance of the Oauth class that does this for each logged in user for the app Thus, for a single timestamp, it IS possible that the time seeded nonce values are the same.... So - corrrective action being trialled: I'm prefixing the 'random' nonce value with the userID stripped from the start of the token, padded to a fixed length of chars... this should guarantee then that the nonce/timestamp combo is indeed unique for every request made from our app .... Simon On Aug 11, 6:45 am, Dan Borthwick <dan.borthw...@playfish.com> wrote: > For our app, we successfully call request_token from our server. When > we then call statuses/update from the client, we get a 401 'Invalid / > usednonce' response. If the request_token call comes directly from > the client, the update call succeeds. > > The nonces have been sanity checked and are definitely different for > each call. GET requests to users/show succeed regardless of whether > the request_token comes from the proxy server or client. Code is based > on MGTwitterEngine-1.0.8-OAuth. > > The same code was working ok prior to the recent DoS downtime. Perhaps > something has been changed on Twitter's side that might result in the > 401 response? > > On Aug 11, 8:38 am, graceawalker <grace_blo...@hotmail.com> wrote: > > > > > No, mynonceis definately new every time. Surely if there was > > something wrong with the way it was being generated it would error > > during requestToken/accessToken/VerifyCredentials too?? All the code > > ive looked through is doing it exactly the same way. Is the 'status' > > parameter being used just like all the oauth parameters? is an > > 'invalidnonce' error, definately an invalidnonceor could it be to > > do with the timestamp and timezones. Clutching at straws here... > > > On Aug 11, 3:12 am, Chris Babcock <cbabc...@asciiking.com> wrote: > > > > On Mon, 10 Aug 2009 04:14:43 -0700 (PDT) > > > > graceawalker <grace_blo...@hotmail.com> wrote: > > > > I am calling and getting the whole way up to getting the access token > > > > just fine in my app (one im writing myself in c#), but when i try and > > > > call the update status URL im getting an 'Invalid/usednonce' error in > > > > my response data. Im not sure why this is, im calling the update > > > > method in the exact same way that i called request token apart from > > > > the new 'status' parameter in the query string. I call 'verify > > > > credentials' with my access token to ensure that it is working and it > > > > sends me back all of the correct data, but it is erroring when trying > > > > to update my status. Is there any obvious solution to this, or am i > > > > not supposed to be signing and organising the parameters in the same > > > > way that i did before? Im really stuck here guys and need help! > > > > Right, thenonceis a "number used once". Its purpose is to prevent > > > replay attacks. If you use the samenoncefor more than one call to the > > > API then you *should* be getting an error. > > > > Chris- Hide quoted text - > > - Show quoted text -
