play-authenticate
play-authenticate copied to clipboard
joscha
State token tampering
I keep getting the "The state parameter may have been tampered with" message when authenticating with google. I am hosted on Heroku with 2 instances. I had a guess that it was being caused from having the 2 instances and it starts the authentication with 1 instance, but ends on the other instance. this however doesnt appear to be the case since I shut down all the instances to 1 and it was still happening. It happens about 80% of the time when trying to log in and I am definitely not tampering with the state token on my own account.
What could be causing this issue and is there a way to disable the state token checking?
I am using play authenticate v0.5.2 with deadbolt-java 2.2.1-RC1
@razorman8669 can you create a sample app where I can have a look at the issue?
I'm having the same issue.
Actually I've got facebook and google authentication and previously (when it was only facebook) it was fine - now I get this message some times (but not always) with both auth channels.
Feel free to try it http://www.bookmyvet.fr/en/
Also first attempt to login with facebook in a browser with no cache/cookies saved for PA throws a nullpointer exception here https://github.com/joscha/play-authenticate/blob/20f9c0ee44fbf129b3b6f8434c6f66f84c90093c/code/app/com/feth/play/module/pa/providers/oauth2/OAuth2AuthProvider.java#L191 On a second attempt it works.
Have a look at this PR: https://github.com/joscha/play-authenticate/pull/153- I haven't found the time to integrate it, yet, but that would be a possible fix for you. Another one would be using a shared memcache for the play.Cache instead of the default EhCache implementation. Am 24.03.2014 23:11 schrieb "megaponchic" [email protected]:
@joscha https://github.com/joscha yes, over 2 heroku web dynos
— Reply to this email directly or view it on GitHubhttps://github.com/joscha/play-authenticate/issues/149#issuecomment-38507795 .