The way I did it for my website is to store the tokens in a db and put
a custom persisting cookie on the user's browser. The user can 'sign-
off' removing the cookie and will have to authenticate with Twitter
next time she uses the protected functionality on my website. Or the
cookie can expire/be deleted locally. But if the cookie remains intact
user will be singed-in automatically.

I think this approach is quite secure and still convenient to all
parties involved.


On Feb 11, 4:53 pm, John Meyer <> wrote:
> On 2/11/2010 9:30 AM, Paul wrote:
> > My question at last is then, what are good practices for the 3rd party
> > site?  Should the site request the user to reauthorize with Twitter
> > each&  every time he/she comes to the site?  Should the 3rd party site
> > have it's own login/username/password for users and store the token in
> > a database?  Should it offer to store the token as a cookie on the
> > user's computer?
> Different strokes for different folks.  Whatever you do, make it clear
> what your site is doing to the user  If you want to store a
> username/password for your own site and then store that authentication
> information in a MySQL database, tell them that.  And explain to them
> that they can revoke authentication at anytime through the Twitter website.

Reply via email to