使用Twitter oAuth安全登录 - 最佳实践

I am new to oAuth and looking to build a web application using Twitter (oAuth) to authenticate. There will be no other login method other than via Twitters oAuth. I am looking for advise on best practice to secure the site based on tokens. Here is my plan:

User is taken from my site to authenticate via Twitters site
Generate Access token for user
Get the users unique Twitter id via Twitter API
Do a user lookup in local db with this id and locate access token if available.
If no user, create new row in user table and save against the user. If user found, update access token agains the user record.
If the user is found, md5_salt the twitterid and set as a cookie.
If the user re-visits, lookup user based on cookie

Does that sound like a secure approach or is using the md5 twitter id a bad idea?

Appreciate any comments.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongti7838 2010-08-05 18:30
关注
Without knowing exactly what your client/consumer application is doing, it is hard to tell whether this approach will be "secure".

One problem I see, is that once you have an access token from twitter, how do you identify your user if the cookie gets deleted? Or would you require them to get a new access token? This would mean that they would have to both login, and authorize your application each time.

Also, an access token for one user of your app. can be stolen and used by another user of your app. since it works just like a password AND you have no authentication on your side to verify your cookie saved access token.

To answer your question then, I would have to say that using oauth as the only authentication provider, no matter how you do it, is not a best practice.

In order to be secure both the client (consumer) application, and the server (provider) application, need to verify the identity of your users. The easiest way to do this is with a username and password which are stored in your users head, and not on file somewhere...

本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

使用Twitter oAuth安全登录 - 最佳实践 php twitter
2010-07-27 21:40

回答 1 已采纳 Without knowing exactly what your client/consumer application is doing, it is hard to tell whether
使用PHP登录OAuth2 javascript php
2016-06-29 10:53

回答 1 已采纳 You should use redirects as you implied with JS frameworks. It works the same with Facebook. The
如何使用epicurl库为Twitter oAuth登录传递状态参数 php twitter
2013-07-02 23:46

回答 1 已采纳 Answering my own question. You can pass an entire query string, along with the url (although the p
基于CAS的单点登录从零到壹最佳实践
2020-02-18 15:57

悟了道的博客 CAS全称为Central Authentication Service即中央认证服务，是一个企业多语言单点登录的解决方案，并努力去成为一个身份验证和授权需求的综合平台。 CAS是由Yale大学发起的一个企业级的、开源的项目，旨在为Web应用...
Twitter API和获取用户信息PHP php twitter
2018-05-11 23:19

回答 1 已采纳 What you need in order to maintain access to user information on behalf of them is the generated o
什么PHP Twitter OAuth库可用？我应该使用哪一个？ php twitter
2011-12-14 15:46

回答 2 已采纳 I've used Abraham's TwitterOAuth library and find it to be quite good. It comes with some good wor
oauth2-php库客户端授权 php
2013-11-13 14:09

回答 1 已采纳 In order to access a protected resource with a given example code: 1) Create a client (provide cl
保护REST API / Web服务的最佳实践[关闭]
2019-12-18 15:35

p15097962069的博客在设计REST API或服务时，是否存在处理安全性（身份验证，授权，身份管理）的最佳实践？构建SOAP API时，您需要使用WS-Security作为指南，并且有很多关于该主题的文献。
Twitter OAuth无法检索访问令牌 php twitter
2015-03-24 23:01

回答 1 已采纳 As it turns out my particular issue was caused by sessions and the callback url. I was accessing
PHP - 安装OAuth时出错 php
2017-03-14 01:22

回答 1 已采纳 The Google provider is not part of the league/oauth2-client package. You also need to install the
使用php使用Twitter API发布图像+状态 php twitter
2016-02-11 21:54

回答 1 已采纳 I ended up not being able to use this method and found a more current solution. The one thing I le
常用的 PHP 类库 , 资源
2020-02-12 17:43

AR414.com的博客持续更新：https://github.com/ar414-com/php-source-lib 学习资源 PHP相关的有参考价值的社区,博客,网站,文章,书籍,视频等资源 PHP网站(PHP Websites) PHP The Right Way - 一个PHP实践的快速参考指导 PHP ...
不支持删除/ oauth / personal-access-tokens / token laravel php
2018-12-13 19:19

回答 1 已采纳 I created a local passport environment, this seemed to work for me in PersonalAccessTokens.vue: r
php类库
2021-07-30 08:42

极梦网络无忧的博客依赖管理( Dependency ...pickle - PHP扩展安装器 Melody - A tool to build one file Composer scripts. 依赖注入( Dependency Injection ) 实现依赖注入设计模式的库 Pimple - 一个小的依赖注入容器 containe
2023年全球最受欢迎的前十个PHP框架
2023-12-26 11:01

WPHunter的博客一般情况下，PHP程序员经常会借助PHP框架来编写代码，而不是从零开始。那么什么是PHP框架，为什么要使用它们，及与大家分享一些最受欢迎的PHP框架。
没有解决我的问题, 去提问

悬赏问题

¥20 完全没有学习过GAN，看了CSDN的一篇文章，里面有代码但是完全不知道如何操作
¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
¥20 软件测试决策法疑问求解答
¥15 win11 23H2删除推荐的项目，支持注册表等
¥15 matlab 用yalmip搭建模型，cplex求解，线性化处理的方法
¥15 qt6.6.3 基于百度云的语音识别不会改
¥15 关于#目标检测#的问题：大概就是类似后台自动检测某下架商品的库存，在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
¥15 神经网络怎么把隐含层变量融合到损失函数中？
¥15 lingo18勾选global solver求解使用的算法
¥15 全部备份安卓app数据包括密码，可以复制到另一手机上运行

使用Twitter oAuth安全登录 - 最佳实践

1条回答 默认 最新

悬赏问题

1条回答默认最新