I've used the code below to create a token in my project.
<?php
session_start();
$_SESSION['token'] = sha1(uniqid(mt_rand(), true));
?>
and send this token to other pages using a hidden input or as a query string.
But in some target pages, created session token is not as same as sent value from the previous page. Sometimes I saw this when I run the project in IE, or sometimes when I work with $_GET to fetch sent value.
What is this problem for ? And how can I solve it ?
Related
I am working on a CustomerEngagement solution that is integrated with twitter. Looking for suggestion with implementation.
I have configured multiple twitter-apps with a call back URL for each twitter-app (same callback URL), pointing to the same end point in CustomerEngagement application.
I have 2 java methods written, 1 for responding to CRC challenge by twitter(authentication) and 1 for actually receiving the tweet from twitter.
I would like to configure multiple twitter-apps to be served/used by the same single instance of the CustomerEngagement-application from the same endpoint
However, the CustomerEngagement application should have a hint about which twitter-app is responsible for posting the tweet to the application, so that CRC response to twitter can be generated accordingly.
Can I pass a different request parameter in each call back URL of different twitter-apps to identify the app?
I already see a conversation on the same
https://twittercommunity.com/t/callback-url-with-fixed-query-string-parameters/107821
however, can some one please elaborate on how to achieve this ? I am assuming that this a 2 step process where registering the call back URL ( along with request parameter ) happens to be step 1, followed by setp 2 in which the call back by twitter having the request parameter registered in step 1 is passed !
Thanks in Advance!!
Say your configured callback_url is xyz.com/social/
append the query strings params when parsing the callback_url
tweepy
import tweepy
auth = tweepy.OAuthHandler(consumer_key, consumer_secret, 'xyz.com/social/?var=val')
url = auth.get_authorization_url()
You get an authorization URL that redirects to a twitter login page. After login, it returns
xyz.com/social/?var=val&oauth_token=****$oauth_verifier=***
Im working with the withings oauth implementation in hopes of retrieving stored values from scales. I can get the request token which I send back in hopes of getting the userid and the oauth_verifier passed back to my application.
What is happening is that if I pass in a full URL via the oauth_callback ( EG "http://some.site.com/myapp.php" ) the withings page displays the results on its page. But if I pass in just a page ( EG "myapp.php" ) withings will append this page name to its site and attempt to pass the parameters there (resulting in a 404). (EG "http://oauth.withings.com/account/myapp.php?oauth_params=..." ).
Other bits:
1. Code is in Perl
2. All oauth_signature values are HMAC_SHA1 signed
3. Any bits passed on the URL are url encoded using uri_escape
My questions:
1. Has anyone succeeded in getting data from withings?
2. Has anyone seen and overcome this problem with oauth_callback?
Turns out the answer is to url encode the address.. and then encode it again when you use it in the resultant signature and URL that you pass to withings.
I was just encoding it once.
Is there away to get the current fragment from a route that was issued via action link. This is how I am getting the action from the route.
string currentAction = requestContext.RouteData.Values["action"] as string ?? "index";
Can I do something similar to this?
string currentFragment = requestContext.RouteData.Values["Fragment"] as string ?? "";
No, you can't do anything like this. The fragment (everything that follows the # sign in an url) is never sent to the server by the browser, so the sole fact of talking about getting the url fragment server side simply doesn't make sense.
So if you have the following url: http://example.com/foo/bar?key1=value1#abc the server will never be able to fetch abc simply because the client will never send it.
As it has already been pointed out that is not possible. Document fragments (the string after the hash as you call it) are intended for the browsers only to correctly position the viewport. They have no meaning for the server and therefore are not transmitted there.
There is however a workaround you can use. Repeat the fragment as part of your url to make it accessible for the server.
Look at the permalink to the answers in this question. For instance, the link to my answer looks like this:
http://stackoverflow.com/questions
/6285833/get-current-fragment-in-route-asp-net-mvc/6286097#6286097
See how the value 6286097 is duplicated as the last route parameter. It's intentional. You can use this technique as well.
P.S. The fragment must point to an identifier in the document (id of some HTML element). At least in XHTML only identifiers work as fragments. Valid ids may not begin with a digit therefore instead of #6286097 use something like #answer-6286097.
P.S.#2. Do not use any JavaScript trickery to get around this limitation. Basic site functionality and design must work without JavaScript - don't listen to anyone who tells you otherwise. Fragments obviously belong to the basic tool box. Use JavaScript only for advanced interactivity.
I have a workaround for you, but first of all lets get more into the problem.
The strings after the hash symbol which are called Fragment values are not query parameters but they are strings to be read by the client-side (living in the browser) and the server cannot read them because they are not sent to the server by the browser.
Some authentication providers like Google and Azure send the access token as Fragment value for security reasons so that they are not transferred over the internet after they get sent as direct response from the authentication provider.
The only way you can come around that is to use javascript to convert the fragment values to query parameters by replacing the '#' with '?' and redirecting to the endpoint in your server controller.
I suppose the easiest way is to handle all that from server, meaning you get get the request in server, send a javascript code to the browser on the fly, that replaces the '#' into '?' and redirects to your second endpoint which reads the token as strong parameter.
Here how you can do it in ASP.NET Core 3.1:
[AllowAnonymous]
[HttpGet("authredirect")]
[Produces("text/html")]
public virtual ContentResult ConvertUrlFragmentToQueryParamThenRedirect()
{
return Content("<html><script>window.location.href=window.location.href.replace('#', '?').replace('authredirect', 'authparams')</script></html>", "text/html");
}
[AllowAnonymous]
[HttpGet("authparams")]
public virtual void GetAccessToken([FromQuery] string access_token)
{
// now you have your access token server side here
}
Please remember to set your redirectUrl to the correct one, in this case 'YOUR REDIRECT URL/authredirect'.
I want to share a dropbox folder via the Ruby API.
Is it possible now or is there anyway?
Thanks
There is always a way, but in this case it would require you to login programmatically via cURL and pass back and forth the data needed. I am trying to figure that out now myself.
[Edit]
Since there's still interest in this thread I'll post the basic instructions, it may have changed since I did this, but this is what was working 6 months ago.
1) You need to log in and remember your cookies.
The login URL is (was) https://www.dropbox.com/login
The data you need to post to the login page is below represented as a php array since that's what I used.
$loginData = array(
't' => $loginToken,
'login_email' => $_POST['input_from_email'],
'login_password' => $_POST['input_from_email_password']
);
The login token is part of the login form and is to prevent XSS so you need to read it from there and include it in your form post or else it will fail.
Once you successfully login you have need to read in the HTML and headers using cURL for the url https://www.dropbox.com/home and parse the
preg_match("/.*TOKEN:(.*),.*/", $homeResponse, $homeResponseMatches);
This pulls the XSS token for the next form which is the form that submits and creates the share. it is used by posting to the URL https://www.dropbox.com/share_ajax/new. and the data that needs to be posted is.
$createShareData = array(
'emails' => $_POST['input_to_email'],
'custom_message' => $_POST['input_message'],
'folder_name' => $_POST['input_folder_name'],
't' => $loggedInToken
);
'$loggedInToken' is the token you scraped from https://www.dropbox.com/home. This will create a new folder and share it with the emails in the 'emails' field which is a comma delimited list of email addresses.
Have fun.
I've been scouring the API and the dev forum, and unforuntately I do not think it's possible (at least not in any straight forward manner).
http://forums.dropbox.com/topic.php?id=25478&replies=10
http://forums.dropbox.com/topic.php?id=22779
I'm trying to get Twitter authentication working on my ASP.NET site. When you create the app on the Twitter website, you have to specify a callback URL, which for sake of argument, I have set to http://mydomain.com
I've read the oAuth 1.0a spec, and to override this callback URL with your own custom one you have to send the oauth_callback parameter in the request_token phase (url-encoded of course).
So my request URL looks like this:
http://twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2Fmydomain.com%2Ftwittercallback
Supposedly, if all goes to plan, in your response data, you are supposed to receive a new parameter of oauth_callback_confirmed=true in addition to your token and token secret parameters.
However, my response comes through as:
oauth_token=MYTOKEN&oauth_token_secret=MYTOKENSECRET
I know I haven't given you guys the greatest amount to go on, but I'm at my wits end as to why I am not receiving the oauth_callback_confirmed parameter. Without this, my application keeps defaulting back to the callback URL hard-coded on the Twitter website. Please if anyone could help me out, I will be eternally grateful!
Thanks,
A.
I've read the oAuth 1.0a spec, and to
override this callback URL with your
own custom one you have to send the
oauth_callback parameter in the
request_token phase (url-encoded of
course).
So my request URL looks like this:
http://twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2Fmydomain.com%2Ftwittercallback
just because YOU read the spec doesn't mean that TWITTER read it. :P
kidding - this is essentially correct - but the way twitter likes to receive this data is a little different (and not well documented).
the way i've found to get the oauth_callback to confirm is as follows: specify the oauth_callback in the parameters of the request function, NOT within the URL.
python example (using oauth2):
''' Create our client.'''
client = oauth.Client(consumer)
''' do the request '''
resp, content = client.request(request_token_url,"POST",body=urllib.urlencode({'oauth_callback':callbackURL}))
''' note that it's called "body" in this particular OAuth function for Client but in OAuth Request object it's called "parameters." YMMV depending on programming language/ library of course. '''
this is ALSO the only way i've managed to get an oauth verifier back. supposedly one should not have to specify the callback URL every time, since we provide it in app settings...but experience seems to indicate otherwise.
finally, please be aware that at leg 3 you have to do the same thing AGAIN - this time including the oauth_verifier as well as the callback URL in the parameters.
hope this helps - can't begin to tell you how much effort i put into figuring this out.
good luck!
J
I've used this guide to set up my PC to be used as the callback location. Basically you set up your hosts file in a certain way, clear your cache and add a couple of Firefox registry values. At the end when you are debugging an oauth call the redirect comes back to your local PC.
As I said it worked for me.
<?php
// oauth-php example
$token = OAuthRequester::requestRequestToken(
$consumer_key,
$user_id,
array('oauth_callback'=> urlencode($callback_uri))
);
?>