you can mark the cookie as secure so it will only be transferred over https.
-igor On Sat, Dec 4, 2010 at 12:56 PM, Peter Karich <[email protected]> wrote: > Hi Igor! > > thanks! I will try it out. (I also think token is url safe) > > BTW: I meant, there is also 'token_secure', not only 'token' in twitter's > oAuth (+ the app credentials). > So a hacker cannot easily guess the 'token' for the user and get a fake > login via modifying its cookie. > like it would be the case if I would store the user name in the cookie only. > > (But this method is not safe if you as a user are connected via an unsecured > WLAN) > > Regards, > Peter. > >> not sure, but i would think it would be ok. i think the token should >> already be url safe, but once again - not sure. >> >> -igor >> >> On Sat, Dec 4, 2010 at 12:38 PM, Peter Karich<[email protected]> wrote: >>> >>> Igor, >>> >>> there is token_secure. So storing it in clean text should be ok, right? >>> Or do I need to encrypt (or at leat base64ing) it? >>> >>> Regards, >>> Peter. >>> >>>> store the token in a cookie and attempt to auto-reologin user based on >>>> it? >>>> >>>> -igor >>>> >>>> On Sat, Dec 4, 2010 at 11:51 AM, Peter Karich<[email protected]> >>>> wrote: >>>>> >>>>> Hi, >>>>> >>>>> do you know of any examples for wicket which uses twitter's oAuth? >>>>> In my app I can easily login and use the twitter api, >>>>> but I'm kind of stuck how to avoid that the user needs to login every >>>>> time >>>>> after the session expires. >>>>> >>>>> Any other hints, links or best practices? >>>>> >>>>> Kind regards, >>>>> Peter. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
