I am using the dropbox php sdk webauth fuctions to allow my customers to authorize Dropbox to allow my site to list their items in dropbox. The site just moved servers to Amazon ELB (elastic load balancing). Now that I have multiple servers I am having issues getting Dropbox to work. I will get the CSRF mismatch error (request leaves from one server and returns on another).
I have moved the session's to cookies (that's were I store the access token after the request) but I am having issues getting the authorize request working. Is there a way to make this work or do I need to build my Dropbox differently? I will post code if need be, but it pretty much follows the WebAuth example.
Thank you in advance,
The following would be helpful so we can offer some insight:
- the steps to reproduce the issue
- the full text of the error/any output
- the relevant code snippet(s), including any changes you made to "move the session's to cookies"
Gregory, my code works on a single server (it's alive in production now).
where the code sets/reads the session data, I just replaced it with cookies. Which will have no baring on handling the authorization request. The exact error is the generic
"/dropbox-auth-finish: CSRF mismatch: expect ##########, got ########". This is because the request is leaving one server and returning on another. My logs show the request leave and return on different servers. I see no documentation on handling this work flow.
Have you built dropbox to work with multi-servers before?
I'm still not clear what change you made exactly regarding the cookies and sessions, but that certainly would be relevant here, as the error is indicating that the CSRF token didn't match what was expected, and the SDK stores the expected CSRF token in the session. You can see that here in the SDK where the exception is thrown:
We don't have any specific documentation on how to handle this in an environment like yours, and in any case I suspect it would be specific to the environment, so I recommend looking at how the code works, and updating the your code and/or the SDK as necessary.
If I can get the php sdk to work in a load balancing environment, can I hand it off to Dropbox and have them maintain the code officially? As more and more people are moving to services with multiple servers, I think it would be helpful.
I got the similar issue,
i have hosted my dropbox project in a server, when multiple people try to auth use dropbox auth at same time , it creates CSRF mismatch problem.
A user comes to site and click on auth csrf set in session and redirected to dropbox page to authorize (https://www.dropbox.com/1/oauth2/authorize) and same time another user click to auth now csrf changed and redirected to dropbox page to authorize. So when first user come to via redirected URI , CSRF MISMATCH problem occurs.
is there way to customize my app?
Thamaraiselvam, different users shouldn't be affecting each other's sessions. It sounds like the session system for your app isn't set up correctly. That's a more general problem, and so a bit outside the scope of API support though, so I'm afraid I can't offer support for that. You should refer to the documentation for your web app platform for help configuring sessions properly.
The way we work is changing. Share and discover new ways to work smarter with Dropbox in our community.Sound good? Let's get started.