search

joscha / play-authenticate

An authentication plugin for Play Framework 2.x (Java)
http://joscha.github.com/play-authenticate/
Other
807 stars 367 forks source link

State token tampering #149

Open razorman8669 opened 10 years ago

razorman8669 commented 10 years ago

I keep getting the "The state parameter may have been tampered with" message when authenticating with google. I am hosted on Heroku with 2 instances. I had a guess that it was being caused from having the 2 instances and it starts the authentication with 1 instance, but ends on the other instance. this however doesnt appear to be the case since I shut down all the instances to 1 and it was still happening. It happens about 80% of the time when trying to log in and I am definitely not tampering with the state token on my own account.

What could be causing this issue and is there a way to disable the state token checking?

I am using play authenticate v0.5.2 with deadbolt-java 2.2.1-RC1

joscha commented 10 years ago

@razorman8669 can you create a sample app where I can have a look at the issue?

megaponchic commented 10 years ago

I'm having the same issue.

Actually I've got facebook and google authentication and previously (when it was only facebook) it was fine - now I get this message some times (but not always) with both auth channels.

Feel free to try it http://www.bookmyvet.fr/en/

Also first attempt to login with facebook in a browser with no cache/cookies saved for PA throws a nullpointer exception here https://github.com/joscha/play-authenticate/blob/20f9c0ee44fbf129b3b6f8434c6f66f84c90093c/code/app/com/feth/play/module/pa/providers/oauth2/OAuth2AuthProvider.java#L191 On a second attempt it works.

joscha commented 10 years ago

@megaponchic is your application scaled over more than one machine?

megaponchic commented 10 years ago

@joscha yes, over 2 heroku web dynos

joscha commented 10 years ago

Have a look at this PR: https://github.com/joscha/play-authenticate/pull/153- I haven't found the time to integrate it, yet, but that would be a possible fix for you. Another one would be using a shared memcache for the play.Cache instead of the default EhCache implementation. Am 24.03.2014 23:11 schrieb "megaponchic" notifications@github.com:

@joscha https://github.com/joscha yes, over 2 heroku web dynos

— Reply to this email directly or view it on GitHubhttps://github.com/joscha/play-authenticate/issues/149#issuecomment-38507795 .

megaponchic commented 10 years ago

I'll have a look, thanks!