An alternative is to encrypt the token secret. Keep the encrypted secret on the server and the encryption key in a cookie.
- Scott On Feb 17, 9:27 am, John Meyer <john.l.me...@gmail.com> wrote: > On 2/17/2010 5:32 AM, Dmitri Snytkine wrote: > > > Just wondering, is it a bad practive for a web-based app to store > > user's token and secret in cookies? > > This would of cause simplify and speed up the login, but is it a > > security risk? > > When you boil it down, everything done to increase accessibility is a > security risk. I would think that if you keep your consumer key pair on > the server there is little problem with this.