php - Secure login with Twitter oAuth - best practice -
I'm new to oAuth and trying to create a web application using Twitter to authenticate . There will be no other login method other than Twitters oAuth. I am looking to advise on best practices for securing a site based on tokens.
Is this sound like a safe perspective or is there a bad idea of the MD5 Twitter ID?
Appreciate any comments.
Without knowing what your client / consumer application is doing, it is difficult to say that The approach will be "safe".
There is a problem I am looking at, how is it that when you receive an access token from Twitter, how is the cookie removed, how do you identify your user? Or will you need them to get a new access token? This will mean that they both login, and every time their application must be authorized.
In addition, a token can be used for a user of your app and can be used by another user of your app. Because it acts just like a password and there is no authentication in your favor to verify your cookie saved access token.
To answer your question, I have to say that using Oath as the only authentication provider does not make any difference to how you do it, this is not the best practice.
To protect both the consumer (consumer) application and the server (provider) application, the identity of your users needs to be verified. The easiest way to do this is with the username and password stored in the head of your users, and not on the file anymore ...
Comments
Post a Comment