The way I did it for my website is to store the tokens in a db and put a custom persisting cookie on the user's browser. The user can 'sign- off' removing the cookie and will have to authenticate with Twitter next time she uses the protected functionality on my website. Or the cookie can expire/be deleted locally. But if the cookie remains intact user will be singed-in automatically.
I think this approach is quite secure and still convenient to all parties involved. Alex On Feb 11, 4:53 pm, John Meyer <john.l.me...@gmail.com> wrote: > On 2/11/2010 9:30 AM, Paul wrote: > > > > > My question at last is then, what are good practices for the 3rd party > > site? Should the site request the user to reauthorize with Twitter > > each& every time he/she comes to the site? Should the 3rd party site > > have it's own login/username/password for users and store the token in > > a database? Should it offer to store the token as a cookie on the > > user's computer? > > Different strokes for different folks. Whatever you do, make it clear > what your site is doing to the user If you want to store a > username/password for your own site and then store that authentication > information in a MySQL database, tell them that. And explain to them > that they can revoke authentication at anytime through the Twitter website.