Twitter Oauth with ASP.NET MVC, where to keep a secret token

Question

Twitter Oauth with ASP.NET MVC, where to keep a secret token

I have a dilemma where to store secret tokens that I get from Twitter.

Options:

a. Put it in a FormsAuthenticationTicket, encrypt it and put it in a cookie. How safe is this?

b. Put it in Session and put the username in FormsAuthentciation.

FormsAuthentication.SetAuthCookie(String.Concat("<em>", screen_name, "</em>"), true);

This way, I will need to check if secret cookies exist in the first session.

with. Store secret cookies in the database and store your username in cookies such as b.

Which one do you recommend and why?

Thanks a lot!

+4

cookies asp.net-mvc oauth session twitter

Sergey Oct 13 '09 at 22:59

source share

2 answers

I would not prefer to store the "username" with the token, because the username is actually the name of the screen that you get through xml, and it's easy to change.

Why not save the "user id" with the token?

0

Zain shaikh Dec 12 '09 at 21:02

source share

Chris patterson · Accepted Answer · 2009-10-13T23:19:50+0000

Since the token does not expire, and your application is considered authorized for this user account, you need to keep the token in that lasts longer than the session.

In this case, I would save it in the database associated with the username.

Twitter Oauth with ASP.NET MVC, where to keep a secret token

More articles: