Rails 3.2 + Facebook auth + CSRF FAILURE

P

3

5

This is the error that I see when trying to login via facebook, I always see that error. Can't seem to get rid of it:

Could not authorize you from Facebook because "Csrf detected".

I put a skip:

skip_before_filter :verify_authenticity_token

on the Omniauth callback, but still I get the error. This is in both local and prod (heroku) environments. I have set the heroku environment variables. Any idea?

Pathological answered 18/7, 2012 at 19:4 Comment(0)

P

6

I found that the problem was the gem was too new and passing a STATE header to facebook, which fb didn't want. I rolled the omniauth-facebook gem version back and it worked

Pathological answered 21/7, 2012 at 2:38 Comment(4)

Which version did you roll back to? – Flutterboard 23/7, 2012 at 21:23

I had the same problem, downgrading omniauth-facebook to 1.4.0 solved the problem. – Incommunicable 25/7, 2012 at 8:21

github.com/mkdynamic/omniauth-facebook/issues/75 and github.com/intridea/omniauth-oauth2/issues/20 for some more details – Dorran 10/12, 2012 at 22:16

Note: CSRF in Rails is not the same as CSRF using oauth. Those are two distinct systems trying to prevent CSRF, that is why the skip_before_filter doesn't help. – Danas 14/5, 2013 at 6:46

E

8

I had the same issue you have on the same day!! I thought it was a gem update or something like this but not at all. With a deep debugging I found that omniauth "Callback phase initiated." was called twice.

It was due to a stupid double initialization of

provider :facebook, .....

One in config/initializers/devise.rb and in another initializer.

I hope it will give you an hint to find your error

Extravagancy answered 20/7, 2012 at 12:56 Comment(2)

I found that the problem was the gem was too new and passing a STATE header to facebook, which fb didn't want. I rolled the omniauth-facebook gem version back and it worked. – Pathological 21/7, 2012 at 2:37

I was having this problem with another omniauth provider and could not figure it out until seeing this. Thanks! – Floccule 2/11, 2012 at 18:49

P

6

I found that the problem was the gem was too new and passing a STATE header to facebook, which fb didn't want. I rolled the omniauth-facebook gem version back and it worked

Pathological answered 21/7, 2012 at 2:38 Comment(4)

Which version did you roll back to? – Flutterboard 23/7, 2012 at 21:23

I had the same problem, downgrading omniauth-facebook to 1.4.0 solved the problem. – Incommunicable 25/7, 2012 at 8:21

github.com/mkdynamic/omniauth-facebook/issues/75 and github.com/intridea/omniauth-oauth2/issues/20 for some more details – Dorran 10/12, 2012 at 22:16

Note: CSRF in Rails is not the same as CSRF using oauth. Those are two distinct systems trying to prevent CSRF, that is why the skip_before_filter doesn't help. – Danas 14/5, 2013 at 6:46

W

0

Are you sending a p3p header maybe add...

before_filter :set_p3p
private

def set_p3p
  headers['P3P'] = 'CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"'
end

to your application controller

Weatherbound answered 18/7, 2012 at 19:49 Comment(0)

Recommended topics

Hot tags