Facebook iFrame App: Form submits result in 'Access Denied' [#744334]

I am developing an iFrame app (no Canvas involved, just pure iFrame): As an FB user, when submitting any form like node creation or comments, I get one of the two behaviors:

Yesterday, every time i submit a form, I get the result page, which reloads forever, until I hit 'Stop' or kill the browser window.

That was using beta4.

Today I get up to try the new dev version, but something has changed before I even have a chance to try that: Now anytime I submit a form I get an 'Access Denied' page and I am no longer logged into the Drupal site. If I reload the page, i am again 'connected' to Drupal (theme shows my 1234@facebook name) then I am back at the edit/create form I was at previously, the form fields filled in: if it was a node form, the node create/edit seems to have gone through, but if it's a comment submission, then the comment was NOT created/posted/changed.

I installed the new dev version 2.x-dev,, but I'm not seeing any difference.

I'm suing Safari as the browser. I have other testers saying they get the "infinite relad"

Since the devel block is not visible on the access denied page: I hit reload to get this ('mysite.com' is subbed in for actual URL):

Page Status = Rendering iframe.
fb_facebook_user = 100000795704019
users_isAppUser = 1
users_isAppUser(100000795704019) = 1
local user = 100000795704019...
fb_get_fbu = 100000795704019
base_url = http://mysite.com
base_path = /
url() returns = /fb_cb/1/
$_REQUEST[q] is = fb_cb/1/node/add/story
arg(0) is = node
arg(1) is = add
session_id = fb_canvas_1_2.95230D_jSmuPCaZ1V14iMQ__.3600.1268780400-100000795704019
session_name = fb_canvas_1_SESS15dcc33f94f96f2a3311b482af87ce8f

Comments

Comment #1

ccshannon commented 16 March 2010 at 21:36

Okay, I made devel block open to anon users and tried again. Got this in the Devel 2 block. Looks like the session key is missing:

Comment #2

Dave Cohen commented 16 March 2010 at 21:52

Safari wont respect a cookie set by an iframe if the domain is not the same as the parent. As far as I know, its the only browser like this.

Either change your form action so that it goes to a url starting with apps.facebook.com/YOURAPP/...

Or, try editing your settings.php. Add this before you include fb_settings.inc...

$conf['fb_session_cookieless_iframe'] = TRUE;

Using this the session key will become part of the URL, instead of passed via cookies. I'm not expert enough to know if that's a security problem...

If you have ideas for better fix, let me know.

Comment #3

jindustry commented 17 March 2010 at 07:15

I believe google chrome has a similar problem. According to this page (http://wiki.developers.facebook.com/index.php/Talk:Fb:iframe): "Safari: Don't load the target page in iframe rightaway. Instead have a intermediate page which just has a link to the page you want to load in the iframe. Cookies aren't set in Safari unless a user lands on a page due to en explicit click."

Comment #4

ccshannon commented 17 March 2010 at 17:20

Thanks, Dave.

Just FYI, one of my colleagues got the 'Access Denied' result using FF Mac instead of Safari.

For the sake of time, I employed the fb_settings.inc change, and that solved the 'Access Denied' issue. If/when I have more time, I will try the form action trick.

On Safari, the form took awhile to submit and return, but it works.

But on FF Win/Mac, Chrome, and of course IE, bane of web developers' lives everywhere, we're all back to 'Infinite Reload' on all form submissions in the iFrame app.

So, I can only assume for now they are two separate issues.

So I'm at a fork in the road: Shall I create a new issue, given the solution in http://drupal.org/node/714018 doesn't solve it for me? Or shall I leave this issue open?

I'm not using Global Redirect or any redirection modules, btw.

Comment #5

ccshannon commented 17 March 2010 at 18:23

Update: I changed the form action and removed the change to settings.php -> $conf['fb_session_cookieless_iframe']

The good:

- 'Access Denied' doesn't happen
- 'Infinite Reload' doesn't happen

The bad:

- Can't create nodes or comments
- Submitting node or comment returns the page to an empty form
- So, for example, if my form action is

/node/add/story

... and the DFF module tacks on /fb_cb/1, making it

/fb_cb/1/node/add/story/

... and then I tack on to make

http://apps.facebook.com/MYAPPNAME/fb_cb/1/node/add/story

The resulting action, viewed through Facebook iFrame is (from View Source) - Note I am using Organic Groups which adds gids[]=nid as first parameter:


http://apps.facebook.com/MYAPPNAME/fb_cb/1/node/add/story?gids[]=2&amp;fb_sig_in_iframe=1&amp;fb_sig_iframe_key=70efdf2ec9b086079795c442636b55fb&amp;fb_sig_locale=en_US&amp;fb_sig_in_new_facebook=1&amp;fb_sig_time=1268849936.6313&amp;fb_sig_added=1&amp;fb_sig_profile_update_time=1266853480&amp;fb_sig_expires=1268856000&amp;fb_sig_user=100000795704019&amp;fb_sig_session_key=2.rhTZlzvLZk7FwMkdS_BJfw__.3600.1268856000-100000795704019&amp;fb_sig_ss=IfsvsZs2ZwCFkijkjoYK4A__&amp;fb_sig_cookie_sig=d1dc491c04e683e56d2c6f8f6b32e962&amp;fb_sig_ext_perms=auto_publish_recent_activity&amp;fb_sig_api_key=c1e32ec1c2a72cd16e1d0e91de6f6937&amp;fb_sig_app_id=361930050743&amp;fb_sig=b77b7c4cd0abe440e4db4408ffe295e

When I submit form as admin viewing app as a regular Drupal site, the forms work. The added URL doesn't affect posting.

Comment #6

ccshannon commented 17 March 2010 at 20:06

Another update: Now I'm throwing crap at walls, seeing what sticks. I'm in the weeds, flying blind, choose your analogy.

I removed the form action changes, and suddenly, I am able to create/edit nodes, comments, comment replies, and there is no 'access denied' message or infinite reloading. EVERYTHING WORKS. I am totally confused.

In Win IE, I submitted a comment and got the dreaded 'Validation error ...' alert. I ran cron, reloaded comment form, submitted, and voila, everything suddenly works.

I have to wonder if all of this is related to session IDs set by Drupal.

Sorry for posting so much. It's the only thing keeping me sane right now.

Is all this, I wonder, caused by not running cron regularly? I have site cache disabled. But I have to run cron manually for now, so I only run it every few days.

Comment #7

Dave Cohen commented 17 March 2010 at 21:18

Hmmm... its not a good feeling when just work or not without knowing for sure why. And I certainly don't know why they weren't working to start with. Canvas pages add a layer of complexity to troubleshooting drupal, and iframes still more.

I'm glad its working though. I don't plan to give this more thought unless you report more problems. :)

I can tell you that your modified form action was wrong. You should never see a URL like apps.facebook.com/MYAPP/fb_cb/NNN/... The fb_cb/NNN part should remain behind the scenes. That is, user sees the apps.facebook.com/MYAPP part, and facebook makes requests to example.com/fb_cb/NNNN/....

Comment #8

ccshannon commented 18 March 2010 at 03:24

It started happening again later, unfortunately.

I was actually subbing out the /fb_cb/1/ when tacking on the full URL, then put it back, then removed everything.

Is it normal for the form action to be like this (in source - without me altering it)?

<form action="/fb_cb/1/node/2/edit?fb_sig_in_iframe=1&amp;fb_sig_iframe_key=70efdf2ec9b086079795c442636b55fb&amp;fb_sig_locale=en_US&amp;fb_sig_in_new_facebook=1&amp;fb_sig_time=1268882448.9214&amp;fb_sig_added=1&amp;fb_sig_profile_update_time=1266853480&amp;fb_sig_expires=1268888400&amp;fb_sig_user=100000795704019&amp;fb_sig_session_key=2.EZRAqSjh6PIi7C1YPpDHJg__.3600.1268888400-100000795704019&amp;fb_sig_ss=DBlGQjGoaf_GLpHVgtQxpg__&amp;fb_sig_cookie_sig=1d0ea02bd3cbf48c2de5e5dd5893b2f9&amp;fb_sig_ext_perms=auto_publish_recent_activity&amp;fb_sig_api_key=c1e32ec1c2a72cd16e1d0e91de6f6937&amp;fb_sig_app_id=361930050743&amp;fb_sig=1d7db7b910e1972eaf84b59b9d657d8a"  accept-charset="UTF-8" method="post" id="node-form" enctype="multipart/form-data">

Comment #9

Dave Cohen commented 18 March 2010 at 04:01

Yes I believe drupal is adding the query to the form action. Which it adds only because that query was passed by facebook to the page that displays the form.

Comment #10

ccshannon commented 18 March 2010 at 15:41

Something I've noticed, and I wonder whether or not it's a coincidence, but I seem to have better luck with form submits after I've run Drupal cron. I have cache disabled, yet after I run cron, and go to the app via FB, I have no problems.

I'm about to setup cron to run regularly, and I wonder if that has any bearing.

I just installed beta5 (thanks Dave!) so maybe this all blows over.

Comment #11

ccshannon commented 20 March 2010 at 01:05

Title:

Facebook iFrame App: Form submits result in either 'Access Denied' or 'Infinite Reload'

» Facebook iFrame App: Form submits result in 'Access Denied'

Ok, the 'Access Denied' issue in Safari is fixed, and now I can see where the infinite reload is coming from, and they are definitely unrelated issues. So, I think it's safe to say that this issue is closed, and I will either open a new issue or find the one that relates to the reload issue.

Comment #12

Dave Cohen commented 20 March 2010 at 01:11

Category:

support

» feature

Let's not resolve this just yet. Based on your comment in #3, I can imagine a feature which forces a user to click through to see an app. I don't plan to implement it anytime soon. Perhaps someone will, and at any rate we can keep this thread for others to find.

Comment #13

dipen chaudhary commented 12 August 2010 at 19:13

I have a similar problem, i have a quiz in drupal (multistep form) which I need to expose as fb app and I am developing it as an iframe application based on 6.2. I have set the callback url as the url to my quiz, I have checked the option of registering a local user based on the fb user and not allowing anonymous requests. I get the quiz displayed fine in a fb_fbml theme and get the first question, but when I choose my answer and press next, it logs me out of the session of the facebook user. If I reload the facebook app page, my quiz resumes fine with session intact, but on form submission (pressing next or back on the quiz) the session doesn't hold. In the incognito window, I can see in the who's online block that my facebook user is logged in but somehow on form submission it doesn't load the session of fb user.

After much debugging, I have found that if I keep verbose == extreme, my quiz runs fine coz of drupal_goto in OP= FB_OP_EXIT but it keeps adding the $_REQUEST['q'] to the app url, which is something like ... apps.facebook.com/my-quiz/node/661/take/node/661/take/node/661/take ( given I pressed next 3 times, i.e answered 3 questions in the quiz) which is certainly not ideal. I am not sure, if I can rewrite the url on every press to remain the same but again not sure if that is ideal.

I have tried every solution mentioned in this issue, but I think cookies are set fine coz my fb user does log into my drupal instance fine, its just on a page reload after page submission it doesn't pick the right session. I am using chrome on linux.

Any ideas? I can try changing form action like u suggested above, but not sure if i completely understands it. Do you think fb_canvas_form_action_via_facebook($form); mentioned at http://drupal.org/node/694800 will help?

Apologies if I am hijacking the thread (not sure what to do in this case), but this issue is very similar to mine. Please let me know if I should create a separate issue.

Comment #14

dipen chaudhary commented 12 August 2010 at 19:40

Hey dave,

I am sorry I should have stuck with it a little more, but I still wanna put out what I did to see if its alright. My app is working fine now.

So Line 273 in 6.2 rc 2 fb_canvas.module is:

       if (fb_verbose()) {
          watchdog('fb_debug', "FB_OP_EXIT on canvas page redirecting to $app_destination (original destination was $destination).");
        }
	$fb->redirect($app_destination);
      }

I have changed it to:

        if (fb_verbose()) {
          watchdog('fb_debug', "FB_OP_EXIT on canvas page redirecting to $app_destination (original destination was $destination).");
        }
	$fb->redirect('http://apps.facebook.com/'.$fb_app->canvas);

So I have taken the redirect out of the if condition and not sure why should redirect only when i am debugging. Its a quick solution, would be great if you can review the change?

Comment #15

Dave Cohen commented 12 August 2010 at 21:47

Well, I don't know off-hand why the $app_destination is wrong. But your change always goes back to the canvas home, which I'm sure is not right.

my real concern (in this thread anyway) is the 3.x branch.

Comment #16

ntrepid8 commented 28 November 2010 at 02:32

$conf['fb_session_cookieless_iframe'] = TRUE;

Is this how drupalforfacbook.org is configured? (in #2) How do you handle the safari 3rd party cookie rejection? This issue is blocking new safari users from signing up for my app on facebook.

Ntrepid8

Comment #17

Dave Cohen commented 29 November 2010 at 17:47

Component:

Facebook Connect

» Canvas Pages (iframe)

drupalforfacebook.org has some experimental code in place. It's not ideal, and I don't know if it will be supported. It might even go away in the 3.0 release. Basically, I don't know the proper way to handle the third-party cookie problem.

But on drupalforfacebook.org, I have this line in settings.php:

$conf['session_inc'] = "profiles/custom/modules/fb/fb_session.inc";

In addition to the includes needed,

Facebook iFrame App: Form submits result in 'Access Denied'