you can mark the cookie as secure so it will only be transferred over https.

-igor

On Sat, Dec 4, 2010 at 12:56 PM, Peter Karich <peat...@yahoo.de> wrote:
>  Hi Igor!
>
> thanks! I will try it out. (I also think token is url safe)
>
> BTW: I meant, there is also 'token_secure', not only 'token' in twitter's
> oAuth (+ the app credentials).
> So a hacker cannot easily guess the 'token' for the user and get a fake
> login via modifying its cookie.
> like it would be the case if I would store the user name in the cookie only.
>
> (But this method is not safe if you as a user are connected via an unsecured
> WLAN)
>
> Regards,
> Peter.
>
>> not sure, but i would think it would be ok. i think the token should
>> already be url safe, but once again - not sure.
>>
>> -igor
>>
>> On Sat, Dec 4, 2010 at 12:38 PM, Peter Karich<peat...@yahoo.de>  wrote:
>>>
>>>  Igor,
>>>
>>> there is token_secure. So storing it in clean text should be ok, right?
>>> Or do I need to encrypt (or at leat base64ing) it?
>>>
>>> Regards,
>>> Peter.
>>>
>>>> store the token in a cookie and attempt to auto-reologin user based on
>>>> it?
>>>>
>>>> -igor
>>>>
>>>> On Sat, Dec 4, 2010 at 11:51 AM, Peter Karich<peat...@yahoo.de>
>>>>  wrote:
>>>>>
>>>>>  Hi,
>>>>>
>>>>> do you know of any examples for wicket which uses twitter's oAuth?
>>>>> In my app I can easily login and use the twitter api,
>>>>> but I'm kind of stuck how to avoid that the user needs to login every
>>>>> time
>>>>> after the session expires.
>>>>>
>>>>> Any other hints, links or best practices?
>>>>>
>>>>> Kind regards,
>>>>> Peter.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to