tags:

views:

560

answers:

2
+2  Q: 

What to do with twitter oauth token once retreived?

I'm writing a web app that will use twitter as its primary log on method. I've written code which gets the oauth token back from Twitter. My plan is now to

  1. Find the entry in my Users table for the twitter username retreived using the token, or create the entry if necessary
  2. Update the Users.TwitterOAuthToken column with the new OAuth token
  3. Create a permanent cookie with a random guid on the site and insert a record into my UserCookies table matching Cookie to User
  4. when a request comes in I will look for the browser cookie id in the UserCookies table, then use that to figure out the user, and make twitter requests on their behalf
  5. Write the oauth token into some pages as a js variable so that javascript can make requests on behalf of the user
  6. If the user clears his/her cookies the user will have to log in again to twitter

Is this the correct process? Have I created any massive security holes? thanks!

+3  A: 

Sounds good.

However, I suggest not using the Twitter User Name as the primary index for the User table. As Twitter user names can be changed. I learned this the hard way.

You should be fine using the Twitter User ID (big int) as the primary index as it doesn't change if the user changes their user name.

As for the token its self, you are a-okay with storing it for future use. In fact, you are encouraged to do so.

Jayrox  2010-05-12 21:01:34
Thanks, have gone with the id. Is it safe to send the oauth token to the client in order to make requests?
mcintyre321  2010-05-12 22:27:31
yea, cause the token is tied to your application.
Jayrox  2010-05-12 23:13:34
It wouldn't matter if someone sniffs the data i sent and then made requests using that auth token? Or am I being over-paranoid?
mcintyre321  2010-05-13 20:03:50
over paranoid, the auth token is tied to your api key/secret. so only you can use it. the only way another person could use it is if they have your key/secret. :)
Jayrox  2010-05-14 21:39:55
As it turns out I can't do JS POSTs to the twitter api without going through a proxy (same origin policy), so I'm keeping the token server side and appending it to the requests. Thanks!
mcintyre321  2010-05-17 11:08:48
Slightly off-topic, but also kind of relevant - I was always taught that Primary Keys should only ever be integers. Was I taught wrong?
Jack Webb-Heller  2010-07-27 21:23:26
@jack, i have no clue. might be someone out here that can she some light on that.
Jayrox  2010-07-28 01:47:08
A: 

Could you not just save the oauth_token as cookies instead of the GUID and do the user based lookup on the oauth_token or is that bad practice?

Ben  2010-07-27 21:21:35

related questions

Storing xml data in a cookie
Best way to secure an AJAX app
Is it possible to delete subdomain cookies?
What are the possible causes of a CGI::Session::CookieStore::TamperedWithCookie exception in rails
How do I access cookies within Flash?
Cookies and subdomains
Accessing Domain Cookies within an iFrame on Internet Explorer
Web Dev - Where to store state of a shopping-cart-like object?
Can JQuery read/write cookies to a browser?
Can you reliably set or delete a cookie during the server side processing of an Ajax (XHR) call?
How can I add cookies to Seaside responses without redirecting?
passing or reading .net cookie in php page
Best way for allowing subdomain session cookies using Tomcat
Why can't I delete this cookie?!
Apache Download: Make sure that page was viewed before download
Secure session cookies in ASP.NET over HTTPS
Always including the user in the django template context
How do you set up use HttpOnly cookies in PHP
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
How do HttpOnly cookies work with AJAX requests?
What is the best way to prevent session hijacking?
Associating source and search keywords with account creation
How would you implement FORM based authentication without a backing database?
How do I stop IIS7 dropping my cookies?