tags:

views:

175

answers:

2
+1  Q: 

Secure login with Twitter oAuth - best practice

Hi,

I am new to oAuth and looking to build a web application using Twitter (oAuth) to authenticate. There will be no other login method other than via Twitters oAuth. I am looking for advise on best practice to secure the site based on tokens. Here is my plan:

  • User is taken from my site to authenticate via Twitters site
  • Generate Access token for user
  • Get the users unique Twitter id via Twitter API
  • Do a user lookup in local db with this id and locate access token if available.
  • If no user, create new row in user table and save against the user. If user found, update access token agains the user record.
  • If the user is found, md5_salt the twitterid and set as a cookie.
  • If the user re-visits, lookup user based on cookie

Does that sound like a secure approach or is using the md5 twitter id a bad idea?

Appreciate any comments.

A: 

Thanks Ricky, yes, forgot to add the tag, it is PHP. I dont seem to be able to edit my post?

Appreciate any thoughts.

Regards, Ben.

Ben  2010-07-29 09:00:21
You can't edit your post because you're not the Ben who asked the question (user #403885) you are user #35451. Maybe you logged in with a different OpenID?
Peter Ajtai  2010-07-29 09:10:35
A: 

Without knowing exactly what your client/consumer application is doing, it is hard to tell whether this approach will be "secure".

One problem I see, is that once you have an access token from twitter, how do you identify your user if the cookie gets deleted? Or would you require them to get a new access token? This would mean that they would have to both login, and authorize your application each time.

Also, an access token for one user of your app. can be stolen and used by another user of your app. since it works just like a password AND you have no authentication on your side to verify your cookie saved access token.

To answer your question then, I would have to say that using oauth as the only authentication provider, no matter how you do it, is not a best practice.

In order to be secure both the client (consumer) application, and the server (provider) application, need to verify the identity of your users. The easiest way to do this is with a username and password which are stored in your users head, and not on file somewhere...

Brandon C  2010-08-05 18:30:03

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases