On Sep 1, 10:45 am, Matei <mad.doroba...@gmail.com> wrote:
> Hi everyone,
> I am compelled to ask because the search turned out a few post that
> were somewhat vague and didn't answer all my questions.
> I have a website widget that interacts heavily with Twitter. We use
> OAuth to authenticate our requests. To logout the users from our side
> we destroy the OAuth token. However during the initial OAuth workflow
> Twitter places a cookie on the browser, so if the user logs out from
> our site but navigates to the Twitter site they are still logged in.
> Closing the browser solves this, as it appears the cookie is a session
> cookie. Calling the "account/end_session.json" end point does nothing
> for use because the call is server side so the cookie doesn't get
> replaced.
> I am a little concerned about this behavior since the widget will be
> on a public site users can access from public computers. It is
> possible the users will log out of our widget but not close the
> browser window. At that point someone could navigate to twitter and
> still be logged in with their account.
> So finally my questions are:
> 1. Is how do I reliably log users out of Twitter?
> 2. Is it really necessary for Twitter to send this cookie during the
> OAuth workflow? The API is stateless so the cookie is really un-
> necessary as far as using the apis is concerned.
> Sorry for the lengthy post, responses are greatly appreciated!
> Cheers,
> Matei

Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 

Reply via email to