Great, I appreciate your insights.


On Jan 26, 4:22 am, Scott Carter <> wrote:
> There should be no need to keep the token and secret in a cookie and
> it would not be safe there in any case.  I keep them in a DB on the
> server for my applications.   I use a cookie to identify
> the user for a DB lookup.  The cookie has a few pieces of information:
> username (user id would be even better)
> session key
> encryption key
> If the user is currently logged into, the session key can
> be used to lookup the token and encrypted token secret (from session
> data in memcached).  The encryption key from the cookie (unique per
> user) is used to decrypt the token secret.     If the session has
> expired, I can use the username to lookup the record from a DB.
> Scott
> On Jan 25, 10:03 am, Patrick <> wrote:
> > I was thinking. I can just use a database and write the current user
> > out (embed it) into the PHP dynamically, instead of posting it from
> > jQuery.  I guess that would work.  It would avoid the whole issue.
> > On Jan 25, 9:03 pm, Patrick <> wrote:
> > > I want to implement an AJAX and oAuth design using PHP and jQuery.
> > > Now, if a dedicated user is required, I can embed the token and secret
> > > into a PHP file. However, to allow a multi-user scheme, I can put the
> > > token and secret into a cookie, and read them from JavaScript.
> > > However, is that a good idea - i.e, is it secure, or what should I do
> > > to implement a good security model for an AJAX / oAuth design?- Hide 
> > > quoted text -
> - Show quoted text -

Reply via email to