I get "Session Expired" when logging in to our site

twy4me · 2012-08-01T01:02:39.000Z

The site I’m working on uses Devise (https://github.com/plataformatec/devise/) and Omniauth (https://github.com/intridea/omniauth) to allow users to logon via Twitter. It works well when it’s used in browsers.

This is how to reproduce the problem:

User is using Twitter’s IOS app
User clicks on a link of our site that was embedded in a tweet
Twitter opens our site via UIWebView
Our site requires the user to login via Twitter
The app executes Safari and redirects to Twitter’s login portal, prompting the user to login
When the users submits the form, it redirects him back to our site and throws an error: “Session Expired”

Any ideas why this is happening? Or anyone experiencing the same problem?

mariorz · 2012-08-15T01:19:32.000Z

I’m experiencing the same issue.
Here’s a confirmation of the steps to reproduce and explanation of why it happens.

User clicks on a link in a tweet which “Twitter for iPhone” opens in a UIWebView.
User then tries to “login via twitter” to that website.
The request token (oauth_token) the website receives from twitter gets stored in the session for the UIWebView.
The website should then redirect the user to the “authenticate page” (on twitter.com), which causes the latest version of “Twitter for iPhone” to open mobile safari and perform the request from there.

The problem:
At this point the MOBILE SAFARI SESSION is not the same as the UIWebView SESSION where the request token was stored, so when:

Twitter redirects the user back to the callback url (still in mobile safari)
The website has no way of accessing the original request token in the session for the UIWebView to verify that it matches the oauth_token received.

michaelkfleming · 2012-08-15T20:27:38.000Z

We have this problem as well.

Our web app supports “Sign in with Twitter”, but when the user views our site as a direct link clicked in the Twitter iOS app, the user is switched from the Twitter app’s embedded web view to Safari in the middle of the OAuth flow and cookies that we need through that flow are lost.

Its very frustrating that “Sign in with Twitter” seems to be broken when a user follows a link in a tweet in the iOS app!

We’d like a way to either (a) break out of the embedded browser and go to Safari sooner or (b) ideally have this be a seamless experience inside the iOS twitter app itself.

twy4me · 2012-08-17T04:39:00.000Z

So I guess we have here the same situations. I posted this in SO (http://stackoverflow.com/questions/11751236/i-get-session-expired-when-logging-in-to-our-site) same time I posted it here but but it’s either no one knows it or I haven’t described it too much. Can you guys help out spread it or maybe rephrase or reinforce it?

episod · 2012-08-17T14:30:16.000Z

One thing to check is that the libraries you are using is accessing the correct URLs. When going through the OAuth flow, you should be going to https://api.twitter.com/oauth/authorize or https://api.twitter.com/oauth/authenticate – not these paths on plain old twitter.com

mariorz · 2012-08-17T17:28:00.000Z

Yeah, I’m using the correct URLs https://api.twitter.com/oauth/authenticate
As stated above, the problem occurs because “Twitter for iPhone” (The official app) breaks out of UIWebView when the website redirects to the twitter auth page, opening mobile safari where the session is different from the one started in the UIWebView. So that leaves os no way of verifying the ouath_token at the end of the flow matches the one received at the start,

twy4me · 2012-08-20T21:26:00.000Z

Yes. The library we use also uses https://api.twitter.com/oauth/authenticate?. But what Mariorz is saying is what’s happening.

mariorz · 2012-08-24T20:55:03.000Z

So I’ve found that Twitter does not verify the token_secret part of the oauth_signature in the last step of the auth flow, when requesting the access token. So a client website that runs into this problem could just pass the oauth_token received as a parameter in the callback url and use an empty string as token_secret when building (with plaintext) the oauth_signature. This works, however it does not comply with twitter’s oauth recommendations or the oauth spec, and could present some security issues. Another possible solution is to redirect the user to the start of the oauth flow when the client is not able to locate an oauth_token in the session, which would cause users to go trough the authentication part twice.

ftaher · 2012-11-26T05:40:59.000Z

@marionz I’m using omniauth-twitter which is failing as you said, I can’t even hit the callback URL. how do I and where do I pass the oauth_token?

Robrosef · 2013-04-30T17:38:49.000Z

@ftaher

I’m using oauth-twitter as well and I’m having a similar experience. I get a session_expired response on a newly auth’d user, my callback url doesn’t get the response. This is working correctly locally, but fails in QA.

Did you happen to find a resolution?