一旦检索到twitter oauth令牌,该怎么办? [英] What to do with twitter oauth token once retrieved?
问题描述
我在写一个网络应用程序,它将使用twitter作为其主要的登录方法。我写了一个代码,它从Twitter返回oauth令牌。现在我的计划是
- 在我的用户表中查找使用令牌检索的twitter用户名,或者必要时创建条目
- 使用新的OAuth令牌更新Users.TwitterOAuthToken列
- 在网站上创建一个包含随机guid的永久Cookie,并将记录插入我的UserCookie表匹配Cookie到用户
- 当请求进来时,我将在UserCookies表中查找浏览器Cookie ID,然后使用它来找出用户,并代表他们发出Twitter请求
- 将oauth令牌作为js变量写入某些页面,以便javascript可以代表用户发出请求
- 如果用户清除了他/
- Find the entry in my Users table for the twitter username retrieved using the token, or create the entry if necessary
- Update the Users.TwitterOAuthToken column with the new OAuth token
- Create a permanent cookie with a random guid on the site and insert a record into my UserCookies table matching Cookie to User
- when a request comes in I will look for the browser cookie id in the UserCookies table, then use that to figure out the user, and make twitter requests on their behalf
- Write the oauth token into some pages as a js variable so that javascript can make requests on behalf of the user
- If the user clears his/her cookies the user will have to log in again to twitter
这是正确的流程吗?我是否创建了任何大量的安全漏洞?
听起来不错。
但是,我建议不要使用Twitter用户名作为User表的主索引。可以更改Twitter用户名可。
您应该使用Twitter用户ID(big int)作为主索引,因为它不会更改,如果用户更改用户名。
对于它自己的令牌,你可以存储它以备将来使用。事实上,我们鼓励您这样做。
I'm writing a web app that will use twitter as its primary log on method. I've written code which gets the oauth token back from Twitter. My plan is now to
Is this the correct process? Have I created any massive security holes?
Sounds good.
However, I suggest not using the Twitter User Name as the primary index for the User table. As Twitter user names can be changed. I learned this the hard way.
You should be fine using the Twitter User ID (big int) as the primary index as it doesn't change if the user changes their user name.
As for the token its self, you are a-okay with storing it for future use. In fact, you are encouraged to do so.
这篇关于一旦检索到twitter oauth令牌,该怎么办?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
