I'm writing a web app that will use twitter as its primary log on method. I've written code which gets the oauth token back from Twitter. My plan is now to
- Find the entry in my Users table for the twitter username retreived using the token, or create the entry if necessary
- Update the Users.TwitterOAuthToken column with the new OAuth token
- Create a permanent cookie with a random guid on the site and insert a record into my UserCookies table matching Cookie to User
- when a request comes in I will look for the browser cookie id in the UserCookies table, then use that to figure out the user, and make twitter requests on their behalf
- Write the oauth token into some pages as a js variable so that javascript can make requests on behalf of the user
- If the user clears his/her cookies the user will have to log in again to twitter
Is this the correct process? Have I created any massive security holes? thanks!