I am wanting to use @anywhere to allow users to login to my website,
but I am curious about how to implement proper security.
Right now when a user hits the "Connect With Twitter" button on my
website and signs in via the popup window, the button changes to say
"Connected with Twitter". So far so good.
I can then run things like:
screenName = twitter.currentUser.data('screen_name');
However, I want to be able to send the currentUser's id or twitter
username to my server to log them into my website as well. I want to
check their id/username against my database, and store it if it
doesn't exist, then log them in.
So, the response that I get from running:
twttr.anywhere(onAnywhereLoad);
contains their username/id and some other information, but if I sent
this to my server via javascript to login, there's nothing stopping
someone from making a fake request containing a different username to
login.
With Facebook's Connect API I get a cookie set that I can then use
with my secret to verify that the request is really from Facebook, is
there an equivalent of this in Twitter?
Does this require me to use oAuth?
Again, all I'm trying to do is allow users to sign in to Twitter via
@anywhere on my site then send their username/id to my server to log
them into my application based on that username/id. I just need to be
able to validate that the data being sent to my server (username/id)
was really set by Twitter.
Any thoughts?
Thanks!
--
Subscription settings:
http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
