Weird "ss=1" param ("Invalid signature" error when using session key)

Oct 29, 2009 at 9:39 PM
Edited Oct 29, 2009 at 10:01 PM

I'm getting "Invalid signature" error from Facebook whenever I try to run the following code:

var api = new facebook.API
              {
                  ApplicationKey = **app_key**,
                  IsDesktopApplication = false, 
                  Secret = **session_secret**,
                  uid = **uid**,
                  SessionKey = **session_key**
};
var status = api.status.get(); // "Invalid signature" error happens here.

This code is being executed in a C# DLL running on a web app (we have our reasons for running this on the server), and the session key and session secret are acquired from a web browser using the following Javascript:

FB.init(api_key, channel_path);
FB.ensureInit(function() {
var api = FB.Facebook.apiClient;
api.requireLogin(function(exception) {
var session = api.get_session();
// .. perform AJAX post with a serialization of the session info

What are we doing wrong here?

Oct 30, 2009 at 10:15 PM
Edited Nov 3, 2009 at 10:53 PM

OK. Figured it out.

Inspecting the Javascript sig algorithm (publicly accessible) with a debugger, I found this (reformatted for readability):

_generateSignature:function(parameters, sessionSecret){
        // parameters =	{
	// 			api_key: "**************",
	//			call_id: *******,
	// 			format: "JSON",
	//			method: "status.get",
	//			session_key: "**************"
	//			ss: 1,
	//			v: "1.0"
	//		}
	// sessionSecret = "**********" // this._session.secret
	var sb=new FB.StringBuilder();
	var keyList=this._convertDictKeysToList(parameters);
	keyList.sort();
	var keysEnmr=new FB.ArrayEnumerator(keyList);
	while(keysEnmr.moveNext()){
		var key=keysEnmr.get_current();
		sb.append(key+'='+(parameters[key]);
	}
	sb.append(sessionSecret);
	var sig=FB.Sys.trim(FBIntern.Md5.computeHashToString(sb.toString()));
	return sig;
}

Then stepping through the debugger for the C# Facebook Developer Toolkit, I found this:

/// <summary>
/// This method generates the signature based on parameters supplied
/// </summary>
/// <param name="parameters">List of paramenters</param>
/// <returns>Generated signature</returns>
internal string GenerateSignature(IDictionary<string, string> parameters)
{

    // parameters:
	//   method = "facebook.status.get",
	//   ui = 0,
	//   limit = 0,
	//   session_key = "***********",
	//   api_key = "*********",
	//   v = "1.0",
	//   call_id = "**********"

	var signatureBuilder = new StringBuilder();

	// Sort the keys of the method call in alphabetical order
	var keyList = ParameterDictionaryToList(parameters);
	keyList.Sort();

	// Append all the parameters to the signature input paramaters
	foreach (string key in keyList)
		signatureBuilder.Append(String.Format(CultureInfo.InvariantCulture, "{0}={1}", key, parameters[key]));

	// Append the secret to the signature builder
	signatureBuilder.Append(Secret);

	var md5 = MD5.Create();
	// Compute the MD5 hash of the signature builder
	var hash = md5.ComputeHash(Encoding.UTF8.GetBytes(signatureBuilder.ToString().Trim()));

	// Reinitialize the signature builder to store the actual signature
	signatureBuilder = new StringBuilder();

	// Append the hash to the signature
	foreach (var hashByte in hash)
		signatureBuilder.Append(hashByte.ToString("x2", CultureInfo.InvariantCulture));

	return signatureBuilder.ToString();
}

See the difference? I'll give a hint, it's not in the algorithm, it's in the parameters list (and FYI "ui" and "limit" are optional params).

Fortunately FBDT is open source so I am editing this C# locally. After Googling I have a feeling that this "undocumented feature" was left this way on purpose. Time will tell when this changes.

By the way, I just noticed that just this morning the Documentation link at the Developers URL for Facebook is now Javascript only. The REST API documentation is still buried in there but it's .. well, buried. I have a feeling that Facebook is deprecating support for means of access outside of Javascript.

UPDATE: Turns out, the codebase in the Downloads and the codebase in the Source Code tab are not even remotely similar. Getting latest in dev branch fixes all my problems. I'm still curious about this ss=1 thing, though, and still waiting for someone to explain what it is, what it's for, and when to use it.

Oct 31, 2009 at 4:41 PM

c'mon Stimpy, don't be coy, give us the answer!

did you change all of the parameters to match what is in the Facebook javascript?  

Nov 2, 2009 at 1:52 AM
Edited Nov 2, 2009 at 1:55 AM

The JS had an extra param, ss=1. The only "ss" I know of is our own Javascript namespaces include a JSON hashtable called "ss" (window['ss']) but we're not putting that in the Facebook parameters list. So I have no idea what that means, where it came from, if it will change, what the rules are behind it, or where to go from here. But there you go.

Nov 3, 2009 at 3:51 PM
Edited Nov 3, 2009 at 3:52 PM

AFAIK, the parameter only shows up in the Javascript client API, but if you're creating a session key from Javascript and passing it up to server-side then the session key and its secret are "tainted" with this parameter.

Does anyone have *any* information about this parameter? Did I overlook something in the documentation? Does everyone else see the same thing I'm seeing with this extra parameter?

Dec 22, 2009 at 7:53 PM

ss=1 indicates the signature is generated using the session secret. This is useful for code executing in the users' browser, or in a desktop application.

The absense of ss means signature is generated using the API secret, which is usually the case in server-to-server calls (from your server to FB servers).

 

From Facebook wiki: "You can see which API methods you can call with a session secret. When you sign your API calls using the session secret, you should append ss=true to every call."

Re: http://wiki.developers.facebook.com/index.php/Authorization_and_Authentication_for_Desktop_Applications

 

 

Dec 23, 2009 at 12:42 AM

FDT does add ss=1 to the posts then session secret is used. You can see it in Firebug.

Dec 23, 2009 at 7:41 AM
Edited Dec 23, 2009 at 7:43 AM
doodlemancer wrote:

ss=1 indicates the signature is generated using the session secret. This is useful for code executing in the users' browser, or in a desktop application.

Re: http://wiki.developers.facebook.com/index.php/Authorization_and_Authentication_for_Desktop_Applications

 I think that Wiki entry (the URL you referenced) is brand new.