My trial has worked so far today... not a single invalid nonce error.... but it's only been 12 hours
Simon On Aug 12, 12:59 pm, "Rob O'Brien" <[email protected]> wrote: > The interesting thing with my situation is that I'm still in development, so > there's only a single person (me) hitting the app. Further, I'm only > attempting a single call to Twitter. > > Also, I get a 401 on everything that requires authentication, but not on > something like a rateLimitStatus check. > > Further, a call to /followers/ids.xml *works* on my local dev box, but not > on the production server. The only difference I can think of would be IP > address. > > I've been able to trace 3 separate requests being generated by Twitter4J and > here are the values: > > [Wed Aug 12 10:19:56 PDT 2009] > oauth_timestamp="1250097596",oauth_nonce="329444963" > > [Wed Aug 12 10:20:20 PDT 2009] > oauth_timestamp="1250097620",oauth_nonce="173112023" > > [Wed Aug 12 10:24:39 PDT 2009] > oauth_timestamp="1250097879",oauth_nonce="3202768030" > > Each timestamp is larger than the last and eachnonceis unique. > > Knowing that my values are legit makes me think there's another problem, but > Twitter hasn't responded to my api@ email. > > Rob O'Brien > Web Application Developer & Consultant > [email protected] > > > > -----Original Message----- > From: [email protected] > > [mailto:[email protected]] On Behalf Of Zaudio > Sent: Tuesday, August 11, 2009 12:04 PM > To: Twitter Development Talk > Subject: [twitter-dev] Re: Invalid /usednonce > > We're having the same issue in our app, occurs sporadically in our > logs - but I believe the cause with us is that: > > We're generatingnoncevalues as a timestamp seeded sequence of random > numbers > We're creating an instance of the Oauth class that does this for each > logged in user for the app > > Thus, for a single timestamp, it IS possible that the time seedednoncevalues > are the same.... > > So - corrrective action being trialled: I'm prefixing the 'random'noncevalue > with the userID stripped from the start of the token, > padded to a fixed length of chars... this should guarantee then that > thenonce/timestamp combo is indeed unique for every request made from > our app .... > > Simon > > On Aug 11, 6:45 am, Dan Borthwick <[email protected]> wrote: > > For our app, we successfully call request_token from our server. When > > we then call statuses/update from the client, we get a 401 'Invalid / > > usednonce' response. If the request_token call comes directly from > > the client, the update call succeeds. > > > The nonces have been sanity checked and are definitely different for > > each call. GET requests to users/show succeed regardless of whether > > the request_token comes from the proxy server or client. Code is based > > on MGTwitterEngine-1.0.8-OAuth. > > > The same code was working ok prior to the recent DoS downtime. Perhaps > > something has been changed on Twitter's side that might result in the > > 401 response? > > > On Aug 11, 8:38 am, graceawalker <[email protected]> wrote: > > > > No, mynonceis definately new every time. Surely if there was > > > something wrong with the way it was being generated it would error > > > during requestToken/accessToken/VerifyCredentials too?? All the code > > > ive looked through is doing it exactly the same way. Is the 'status' > > > parameter beingusedjust like all the oauth parameters? is an > > > 'invalidnonce' error, definately an invalidnonceor could it be to > > > do with the timestamp and timezones. Clutching at straws here... > > > > On Aug 11, 3:12 am, Chris Babcock <[email protected]> wrote: > > > > > On Mon, 10 Aug 2009 04:14:43 -0700 (PDT) > > > > > graceawalker <[email protected]> wrote: > > > > > I am calling and getting the whole way up to getting the access > token > > > > > just fine in my app (one im writing myself in c#), but when i try > and > > > > > call the update status URL im getting an 'Invalid/usednonce' error > in > > > > > my response data. Im not sure why this is, im calling the update > > > > > method in the exact same way that i called request token apart from > > > > > the new 'status' parameter in the query string. I call 'verify > > > > > credentials' with my access token to ensure that it is working and > it > > > > > sends me back all of the correct data, but it is erroring when > trying > > > > > to update my status. Is there any obvious solution to this, or am i > > > > > not supposed to be signing and organising the parameters in the same > > > > > way that i did before? Im really stuck here guys and need help! > > > > > Right, thenonceis a "numberusedonce". Its purpose is to prevent > > > > replay attacks. If you use the samenoncefor more than one call to the > > > > API then you *should* be getting an error. > > > > > Chris- Hide quoted text - > > > - Show quoted text -- Hide quoted text - > > - Show quoted text -
