php - Unknown algorithm. Expected HMAC-SHA256 spam in logs - Stack Overflow

admin管理员组

文章数量:1355589

I'm using facebook php sdk 3.1.1 and the current version of the facebook JS sdk. Our users are not reporting errors, but I'm seeing a ton of error log messages like this:

Unknown algorithm. Expected HMAC-SHA256

I see from the source that the error is triggered when reading a signed request with the wrong encoding encoding algorithm, but I'm not sure why that would be, as all signed requests should be generated by the facebook JS code.

Anyone seen this behavior? Any idea how bad a thing this is, or whether it's really indicative of errors? I have been unable to replicate it on demand.

I'm using facebook php sdk 3.1.1 and the current version of the facebook JS sdk. Our users are not reporting errors, but I'm seeing a ton of error log messages like this:

Unknown algorithm. Expected HMAC-SHA256

I see from the source that the error is triggered when reading a signed request with the wrong encoding encoding algorithm, but I'm not sure why that would be, as all signed requests should be generated by the facebook JS code.

Anyone seen this behavior? Any idea how bad a thing this is, or whether it's really indicative of errors? I have been unable to replicate it on demand.

• php
• javascript
• facebook-graph-api
• facebook-javascript-sdk
• facebook-php-sdk

Share Improve this question Follow edited Sep 2, 2011 at 17:38 mike asked Aug 31, 2011 at 18:26 mikemike 21333 silver badges66 bronze badges 6

• 1 Could there be some other source of POST requests to your page that you're running through the same code that you use for decoding the signed_request? – Igy Commented Sep 1, 2011 at 4:58
• I guess that could conceivably be happening, but from looking at the code, the parseSignedRequest() call is passed either $_REQUEST['signed_request'] or $_COOKIE[$this->getSignedRequestCookieName()]). It seems unlikely that either of these are being populated by anything other than the javascript sdk. There is nowhere in our code that references 'signed_request' other than in the php sdk. – mike Commented Sep 2, 2011 at 17:35
• I am starting to see the same stuff in my error logs. I don't understand how this error could happen. The only way the user can get to the page that has the $_REQUEST['signed_request'] is after the user clicks "Register" via the facebook button. Therefore the required information should be populated already. – brant Commented Sep 7, 2011 at 23:56
• I am seeing this all the time. Some small percentage of my users are getting the error consistently. I don't know what that percentage is. The problem seems to be that the cookies aren't being set before the request goes to the server, resulting in failure to authenticate. The symptom is that it claims the algorithm is unknown, but in fact the algorithm hasn't been sent. I'm betting that if you check cookie values and $_REQUEST['signed_request'] they will be empty. I've tried working around it by manually setting $_REQUEST['signed_request'] in my AJAX calls, but that hasn't worked so far. – Garth Commented Oct 21, 2011 at 5:40
• By the way, for me this happens only on AJAX calls using jquery. Is it the same in your case? – Garth Commented Oct 21, 2011 at 5:44

 |  Show 1 more ment

4 Answers 4

Sorted by: Reset to default 3

Try logging some of the signed_request parameters to inspect them manually. For instance, you could change the log line in Base_Facebook::parseSignedRequest to this:

  self::errorLog('Unknown algorithm. Expected HMAC-SHA256, request='.$signed_request);

Once you have a few of these logged, decode them manually or paste them at the end of this URL:

https://developers.facebook./tools/echo?signed_request=

Check what algorithm is specified in the payload or whether the data is malformed in some way. If you share the results here, make sure to omit private data like the access token value.

You might also want to check your web server access logs. For starters, look for GET requests with a signed_request query parameter that occurred around the same time as those entries in your error logs.

Perhaps use the v3.1.1 of the SDK? https://github./facebook/php-sdk

Propably you're doing get/post request to the same page where youre creating Facebook object. So there's no any parameter signed_request for your request and Facebook class returning this error for You :)

Maybe Google or other search engines making request to your site using their crawlers? Thats possibility too.

I hope this answer will be helpful for You.

I looked through my logs and found what I believe to be the problem. I found that there isn't an exact correlation regarding the timestamp, but there is a close enough correlation between this log entry in the syslog and a logged request which uses a bing referer.

The bing referer has a handful of telltale signs of being related:

1) Url: http://www.bing./fbf/search
2) Query string ponents:
2a) form=FBKBFT
2b) pc=FACEBK
2c) signed_request=

Going to http://www.bing./fbf/search loads up what appears to be the facebook bing searcher. If you go to facebook and use the search at the top to look for anything, then go to Web Results, you'll see it uses bing as well.

I believe that bing's facebook integration is somehow passing some sort of invalid data in the signed_request query string. Unfortunately, I'm just the sysadmin and the server I'm seeing this on is one of my customers. One that doesn't care about the error. I've filtered it using syslog-ng to a separate log file, along with a whole slew of other errors ing from php facebook stuff.

本文标签： phpUnknown algorithm Expected HMACSHA256 spam in logsStack Overflow