if it's a bug, open an issue in their bugtracker.

On Thu, Aug 13, 2009 at 13:06, Zaudio <si...@z-audio.co.uk> wrote:

>
> Nope - trial has now failed. I've even added the current time ms to
> the nonce to ensure it is unique for any single timestamp... to
> clarify my nonce is:
>
> userid____ms___randomno
>
> And I STILL am getting invalid nonce logs... on the ids methods
> only.... ARGH
>
> Surely this IS a twitter side bug now???
>
> Simon
>
> On Aug 12, 3:49 pm, Zaudio <si...@z-audio.co.uk> wrote:
> > My trial has worked so far today... not a singleinvalidnonce
> > error.... but it's only been 12 hours
> >
> > Simon
> >
> > On Aug 12, 12:59 pm, "Rob O'Brien" <r...@zepoid.com> wrote:
> >
> >
> >
> > > The interesting thing with my situation is that I'm still in
> development, so
> > > there's only a single person (me) hitting the app. Further, I'm only
> > > attempting a single call to Twitter.
> >
> > > Also, I get a 401 on everything that requires authentication, but not
> on
> > > something like a rateLimitStatus check.
> >
> > > Further, a call to /followers/ids.xml *works* on my local dev box, but
> not
> > > on the production server. The only difference I can think of would be
> IP
> > > address.
> >
> > > I've been able to trace 3 separate requests being generated by
> Twitter4J and
> > > here are the values:
> >
> > > [Wed Aug 12 10:19:56 PDT 2009]
> > > oauth_timestamp="1250097596",oauth_nonce="329444963"
> >
> > > [Wed Aug 12 10:20:20 PDT 2009]
> > > oauth_timestamp="1250097620",oauth_nonce="173112023"
> >
> > > [Wed Aug 12 10:24:39 PDT 2009]
> > > oauth_timestamp="1250097879",oauth_nonce="3202768030"
> >
> > > Each timestamp is larger than the last and eachnonceis unique.
> >
> > > Knowing that my values are legit makes me think there's another
> problem, but
> > > Twitter hasn't responded to my api@ email.
> >
> > > Rob O'Brien
> > > Web Application Developer & Consultant
> > > r...@zepoid.com
> >
> > > -----Original Message-----
> > > From: twitter-development-talk@googlegroups.com
> >
> > > [mailto:twitter-development-t...@googlegroups.com] On Behalf Of Zaudio
> > > Sent: Tuesday, August 11, 2009 12:04 PM
> > > To: Twitter Development Talk
> > > Subject: [twitter-dev] Re:Invalid/usednonce
> >
> > > We're having the same issue in our app, occurs sporadically in our
> > > logs - but I believe the cause with us is that:
> >
> > > We're generatingnoncevalues as a timestamp seeded sequence of random
> > > numbers
> > > We're creating an instance of the Oauth class that does this for each
> > > logged in user for the app
> >
> > > Thus, for a single timestamp, it IS possible that the time
> seedednoncevalues are the same....
> >
> > > So - corrrective action being trialled: I'm prefixing the
> 'random'noncevalue with the userID stripped from the start of the token,
> > > padded to a fixed length of chars... this should guarantee then that
> > > thenonce/timestamp combo is indeed unique for every request made from
> > > our app ....
> >
> > > Simon
> >
> > > On Aug 11, 6:45 am, Dan Borthwick <dan.borthw...@playfish.com> wrote:
> > > > For our app, we successfully call request_token from our server. When
> > > > we then call statuses/update from the client, we get a 401 'Invalid/
> > > > usednonce' response. If the request_token call comes directly from
> > > > the client, the update call succeeds.
> >
> > > > The nonces have been sanity checked and are definitely different for
> > > > each call. GET requests to users/show succeed regardless of whether
> > > > the request_token comes from the proxy server or client. Code is
> based
> > > > on MGTwitterEngine-1.0.8-OAuth.
> >
> > > > The same code was working ok prior to the recent DoS downtime.
> Perhaps
> > > > something has been changed on Twitter's side that might result in the
> > > > 401 response?
> >
> > > > On Aug 11, 8:38 am, graceawalker <grace_blo...@hotmail.com> wrote:
> >
> > > > > No, mynonceis definately new every time. Surely if there was
> > > > > something wrong with the way it was being generated it would error
> > > > > during requestToken/accessToken/VerifyCredentials too?? All the
> code
> > > > > ive looked through is doing it exactly the same way. Is the
> 'status'
> > > > > parameter beingusedjust like all the oauth parameters? is an
> > > > > 'invalidnonce' error, definately an invalidnonceor could it be to
> > > > > do with the timestamp and timezones. Clutching at straws here...
> >
> > > > > On Aug 11, 3:12 am, Chris Babcock <cbabc...@asciiking.com> wrote:
> >
> > > > > > On Mon, 10 Aug 2009 04:14:43 -0700 (PDT)
> >
> > > > > > graceawalker <grace_blo...@hotmail.com> wrote:
> > > > > > > I am calling and getting the whole way up to getting the access
> > > token
> > > > > > > just fine in my app (one im writing myself in c#), but when i
> try
> > > and
> > > > > > > call the update status URL im getting an 'Invalid/usednonce'
> error
> > > in
> > > > > > > my response data. Im not sure why this is, im calling the
> update
> > > > > > > method in the exact same way that i called request token apart
> from
> > > > > > > the new 'status' parameter in the query string. I call 'verify
> > > > > > > credentials' with my access token to ensure that it is working
> and
> > > it
> > > > > > > sends me back all of the correct data, but it is erroring when
> > > trying
> > > > > > > to update my status. Is there any obvious solution to this, or
> am i
> > > > > > > not supposed to be signing and organising the parameters in the
> same
> > > > > > > way that i did before? Im really stuck here guys and need help!
> >
> > > > > > Right, thenonceis a "numberusedonce". Its purpose is to prevent
> > > > > > replay attacks. If you use the samenoncefor more than one call to
> the
> > > > > > API then you *should* be getting an error.
> >
> > > > > > Chris- Hide quoted text -
> >
> > > > - Show quoted text -- Hide quoted text -
> >
> > > - Show quoted text -- Hide quoted text -
> >
> > - Show quoted text -
>



-- 
Internets. Serious business.

Reply via email to