Invalid Signature: Possible malicious login

166 views
Skip to first unread message

Yan S.

unread,
Jul 4, 2011, 4:49:18 PM7/4/11
to shopify-api
I've ran into this with my test store a few times and noticed a
customer is now getting it as well.


This is a Rails app. Happens when the customer tried to hit the root
of the app. First does anyone know why this happens? Session on the
server side expiring? And second, how can I capture this exception and
redirect the customer to /login without affecting the other exceptions?

Edward Ocampo-Gooding

unread,
Jul 5, 2011, 9:45:16 AM7/5/11
to shopi...@googlegroups.com
I've heard of this happening but we've never been able to replicate it.

Are you able to reproduce this reliably?


Edward Ocampo-Gooding
Shopify Developer Advocate

Yan Sarazin

unread,
Jul 5, 2011, 4:09:56 PM7/5/11
to shopi...@googlegroups.com
I'll try to find the pattern. I've only seen it when I haven't accessed the site for a long time, then try to hit the root of the app.

-- 
Yan

Yan Sarazin

unread,
Jul 6, 2011, 12:18:58 PM7/6/11
to shopi...@googlegroups.com
Turns out the exception I was seeing with my test app is different. 

A ActiveResource::UnauthorizedAccess occurred in orders#index:

Failed. Response code = 401. Response message = Unauthorized.
activeresource (3.0.7) lib/active_resource/connection.rb:131:in `handle_response'

I was in the app yesterday, navigated away but kept the browser session open since then. This morning tried logging into my app directly using the URL and got the error above. Does anyone know how I can properly capture this and redirect?

-- 
Yan

Justin Rocha

unread,
Jul 6, 2011, 2:17:11 PM7/6/11
to shopi...@googlegroups.com
On Wed, Jul 6, 2011 at 9:18 AM, Yan Sarazin <yan.s...@gmail.com> wrote:
> Turns out the exception I was seeing with my test app is different.
> A ActiveResource::UnauthorizedAccess occurred in orders#index:
> Failed. Response code = 401. Response message = Unauthorized.
> activeresource (3.0.7) lib/active_resource/connection.rb:131:in
> `handle_response'
> I was in the app yesterday, navigated away but kept the browser session open
> since then. This morning tried logging into my app directly using the URL
> and got the error above. Does anyone know how I can properly capture this
> and redirect?
> --
> Yan

I've run into this a number of times with my application. I tracked it
down to expiring sessions somewhere along the line. I think it might
have something to do with Heroku's dynos spinning down and up. At the
moment, I have something fairly bruteforce in place to handle it while
I work on something else. You'll probably want to use rescue_from in
application_controller:

rescue_from RuntimeError do
flash[:error] = "Your session has become invalid. Please log in again."
session[:shopify] = nil
redirect_to login_url
end

--
Justin Rocha
Xenith || xen...@xenith.org || http://xenith.org/
Jabber: xen...@xenith.org  || AIM:  JustinR98

Dave

unread,
Jul 8, 2011, 4:19:48 PM7/8/11
to shopify-api
Hi,

If you work with Heroku you will be best off keeping your sessions in
the DB.

For one thing, more than one Dyno means your session has to be shared
across machines, so that complicates things when keeping your session
in a cookie.

I ran into these one day when I cranked my Dynos and experienced
session hell... all resolved now, happiky authenticating and dealing
with sessions out of the DB...



On Jul 6, 2:17 pm, Justin Rocha <xen...@xenith.org> wrote:
Reply all
Reply to author
Forward
0 new messages