php - Secure login with Twitter oAuth - best practice -


I'm new to oAuth and trying to create a web application using Twitter to authenticate . There will be no other login method other than Twitters oAuth. I am looking to advise on best practices for securing a site based on tokens.

  • Generate access token for user
  • Get users unique Twitter
  • ID
  • via Twitter API
  • Search for a user in local DB with this ID and locate the access token if available.
  • If there is no user, then create new line in user table and avoid user. If the user is found, then update the login token on the user's record again.
  • If the user is found, twitterid is set as md5_salt and cookie.
  • If the user re-visits, based on the lookup user cookie
  • Is this sound like a safe perspective or is there a bad idea of ​​the MD5 Twitter ID?

    Appreciate any comments.

    Without knowing what your client / consumer application is doing, it is difficult to say that The approach will be "safe".

    There is a problem I am looking at, how is it that when you receive an access token from Twitter, how is the cookie removed, how do you identify your user? Or will you need them to get a new access token? This will mean that they both login, and every time their application must be authorized.

    In addition, a token can be used for a user of your app and can be used by another user of your app. Because it acts just like a password and there is no authentication in your favor to verify your cookie saved access token.

    To answer your question, I have to say that using Oath as the only authentication provider does not make any difference to how you do it, this is not the best practice.

    To protect both the consumer (consumer) application and the server (provider) application, the identity of your users needs to be verified. The easiest way to do this is with the username and password stored in the head of your users, and not on the file anymore ...


    Comments

    Popular posts from this blog

    c# - sqlDecimal to decimal clr stored procedure Unable to cast object of type 'System.Data.SqlTypes.SqlDecimal' to type 'System.IConvertible' -

    Calling GetGUIThreadInfo from Outlook VBA -

    Obfuscating Python code? -