oh, but this would raise other questions :-)

e.g. how can I setup https with tomcat/wicket? Or do I need to setup this with apache only?

Regards,
Peter.

you can mark the cookie as secure so it will only be transferred over https.

-igor

On Sat, Dec 4, 2010 at 12:56 PM, Peter Karich<peat...@yahoo.de>  wrote:
  Hi Igor!

thanks! I will try it out. (I also think token is url safe)

BTW: I meant, there is also 'token_secure', not only 'token' in twitter's
oAuth (+ the app credentials).
So a hacker cannot easily guess the 'token' for the user and get a fake
login via modifying its cookie.
like it would be the case if I would store the user name in the cookie only.

(But this method is not safe if you as a user are connected via an unsecured
WLAN)

Regards,
Peter.

not sure, but i would think it would be ok. i think the token should
already be url safe, but once again - not sure.

-igor

On Sat, Dec 4, 2010 at 12:38 PM, Peter Karich<peat...@yahoo.de>    wrote:
  Igor,

there is token_secure. So storing it in clean text should be ok, right?
Or do I need to encrypt (or at leat base64ing) it?

Regards,
Peter.

store the token in a cookie and attempt to auto-reologin user based on
it?

-igor

On Sat, Dec 4, 2010 at 11:51 AM, Peter Karich<peat...@yahoo.de>
  wrote:
  Hi,

do you know of any examples for wicket which uses twitter's oAuth?
In my app I can easily login and use the twitter api,
but I'm kind of stuck how to avoid that the user needs to login every
time
after the session expires.

Any other hints, links or best practices?

Kind regards,
Peter.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to