On Feb 17, 8:58 pm, Alex Payne <[email protected]> wrote: > As to your second point: yes, do NOT store keys in unencrypted cookies.
Access tokens were designed with the assumption that they should be treated as "public", hence the existence of the secret part of the token/secret pair. The secret should never be exposed, but there's no reason that I'm aware of to hide the access token itself (that said, there's no reason to go out of your way to advertise it, either). Of course, that doesn't help in this situation, since authenticating users at twe2 should not be done on the basis of a single "public" identifier. b.
