IMO I'd rather you not be able to pull user information out of an existing cookie. 3rd party apps should not be able to read Twitter.com cookies, and vice-versa. There are a million security concerns about enabling anyone to access this information via cookie - I hope Twitter doesn't enable that. Rather than detect it through the cookie, it would be better to allow apps to detect the user through the auth processes, via API key and token, in the same manner as Facebook Connect is doing. Twitter.com should be the only people with access to Twitter.com cookies. Just my $.02...
Jesse On Fri, Jan 9, 2009 at 3:43 PM, Paul Kinlan <[email protected]> wrote: > > Hehe, I am not sure if there is anything you can do other than support > cookies again :) > > From an API point of view for itsabot I need to be able to detect the > current twitter user, whilst the rest of the functionality is accessed > through a proxy using my account and auth details. > > I think that it would be good if http referrers to the api could be > whitelisted so that the request could be authenticated but only from > sites approved by twitter. > > If there were a referral Whitelist it could be used to reduce the > number of proxy calls I need to make and could also be used to reduce > the chance that people use my proxy for nefareous means. > > The good thing about cookies for GET requests is that I don't need to > ask twitter users for any of their details. > > From a twollo point of view, several thousand users have used their > password details on the service, now I have to manage and secure this > so that it can auto follow on their behalf. In light of recent > incidents by other services (although it hasn't deterred users of > twollo) I would like to see methods where users can trust my > application to add followers, for instance, without the need for their > twitter details. > > Kind regards, > > Paul Kinlan > > On 9 Jan 2009, at 22:03, "Alex Payne" <[email protected]> wrote: > > > > > Apologies. If there's some way that we can help within the realm of > > API methods that we support, let me know. > > > > On Fri, Jan 9, 2009 at 11:39, Paul Kinlan <[email protected]> > > wrote: > >> > >> It's unfortunate, because it did work before yesterday. > >> > >> I can no longer get the user timeline without a) asking them for a > >> username and b) using a proxy account. > >> > >> It is unfortunate again because I have created www.twollo.com which > >> requires a users username and password and I have been hoping to move > >> away from that, and now www.itsabot.com no longer has the > >> interactivity it once had. > >> > >> I will have to work around it but it just won't be as good and I am > >> not to pleased because I have 4 more projects in the pipeline that I > >> am putting on ice. > >> > >> Regards, > >> Paul > >> > >> > >> On 9 Jan 2009, at 19:02, "Alex Payne" <[email protected]> wrote: > >> > >>> > >>> Cookie support was, as you mentioned, never actually support, and > >>> it's > >>> definitely disabled. There's a method you can use to find if the > >>> user > >>> is logged in, but not WHO the user is. That's intentional. > >>> > >>> On Fri, Jan 9, 2009 at 10:33, Paul Kinlan <[email protected]> > >>> wrote: > >>>> Hi, > >>>> > >>>> I am seeing problems using the JSON api calls to > >>>> statuses/user_timeline.json?suppress_response_codes=1 from a > >>>> webpage > >>>> (www.itsabot.com) are now comming back saying that the call > >>>> requires > >>>> authentication where as in the past the auth cookie went accross > >>>> with the > >>>> request from a SCRIPT tab and the data came back. > >>>> > >>>> Now I know "cookie auth" is not supported, but I find it hard to > >>>> perform any > >>>> form of useful "hands off" interaction without. Can you clarify > >>>> that cookie > >>>> support to JSON endpoints no longer work? > >>>> > >>>> Many Kind Regards, > >>>> Paul Kinlan. > >>>> > >>>> > >>>> 2009/1/9 Alex Payne <[email protected]> > >>>>> > >>>>> It's long since fixed. > >>>>> > >>>>> On Fri, Jan 9, 2009 at 00:51, Paul Kinlan <[email protected]> > >>>>> wrote: > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>> I know this is probably a cheeky questions, what is there an eta > >>>>>> for > >>>>>> the fix? My site www.itsabot.com is getting a lot of > >>>>>> authentication > >>>>>> problems at the moment. > >>>>>> > >>>>>> Kind Regards, > >>>>>> Paul Kinlan. > >>>>>> > >>>>>> On Jan 9, 12:33 am, "Alex Payne" <[email protected]> wrote: > >>>>>>> This is a bug, deployed as part of a related fix to our handling > >>>>>>> of > >>>>>>> web sessions vs API authentication. A fix is pending deploy > >>>>>>> while we > >>>>>>> resolve some issues with our cluster's internal network. > >>>>>>> > >>>>>>> -- > >>>>>>> Alex Payne - API Lead, Twitter, Inc.http://twitter.com/al3x > >>>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Alex Payne - API Lead, Twitter, Inc. > >>>>> http://twitter.com/al3x > >>>> > >>>> > >>> > >>> > >>> > >>> -- > >>> Alex Payne - API Lead, Twitter, Inc. > >>> http://twitter.com/al3x > >> > > > > > > > > -- > > Alex Payne - API Lead, Twitter, Inc. > > http://twitter.com/al3x >
