I'm just starting to develop a web-based Twitter api application (in PHP), which should allow multiple users to tweet through the website. I'm experienced developing websites with PHP, but I've never worked with the Twitter API, and I see that the preferred authorization method is with OAuth, which I've also never worked with before.
I'm still getting into the conceptual stages now, and I know my terminology is fuzzy, but I understand that a user goes through the 3rd party website (which has a revocable key after registering with Twitter, which I've already done), and then the end user goes through the the 3rd party website to Twitter to authorize the 3rd party site to post for them, without ever revealing the user's ID or password to the 3rd party site, by returning an access token. And according to the Twitter OAuth FAQ, the token never expires unless revoked by the user or the app itself is de-authorized by Twitter. My question at last is then, what are good practices for the 3rd party site? Should the site request the user to reauthorize with Twitter each & every time he/she comes to the site? Should the 3rd party site have it's own login/username/password for users and store the token in a database? Should it offer to store the token as a cookie on the user's computer? I played with twitgoo.com, which asks a user to "Sign in & Update". If I authorize & close the browser, and then start the browser again and go to the site, I'm still "logged in"; without having asked if it should keep me logged in. That doesn't seem so good if the user is on a shared computer. SO -- is there any common consensus on how maintaining user info/ tokens should be done? Thanks for any feedback, Paul
