Great, I appreciate your insights. PK
On Jan 26, 4:22 am, Scott Carter <scarter28m-goo...@yahoo.com> wrote: > There should be no need to keep the token and secret in a cookie and > it would not be safe there in any case. I keep them in a DB on the > server for my Social.com applications. I use a cookie to identify > the user for a DB lookup. The cookie has a few pieces of information: > username (user id would be even better) > session key > encryption key > > If the user is currently logged into Social.com, the session key can > be used to lookup the token and encrypted token secret (from session > data in memcached). The encryption key from the cookie (unique per > user) is used to decrypt the token secret. If the session has > expired, I can use the username to lookup the record from a DB. > > Scott > > On Jan 25, 10:03 am, Patrick <kenned...@gmail.com> wrote: > > > > > I was thinking. I can just use a database and write the current user > > out (embed it) into the PHP dynamically, instead of posting it from > > jQuery. I guess that would work. It would avoid the whole issue. > > > On Jan 25, 9:03 pm, Patrick <kenned...@gmail.com> wrote: > > > > I want to implement an AJAX and oAuth design using PHP and jQuery. > > > > Now, if a dedicated user is required, I can embed the token and secret > > > into a PHP file. However, to allow a multi-user scheme, I can put the > > > token and secret into a cookie, and read them from JavaScript. > > > However, is that a good idea - i.e, is it secure, or what should I do > > > to implement a good security model for an AJAX / oAuth design?- Hide > > > quoted text - > > - Show quoted text -
