Sign in with Twitter, and stay signed in (PHP)

2020-07-13 09:34发布

I'm creating a site where users will need to register to participate. I'm on a deadline, and I don't really want to write an entire user registration / login system, so I'm thinking I'll let the Twitter API handle it. I've registered an application with Twitter and I've got the proper PHP code to allow users to sign in and allow access to my application. The thing is, I don't want users to have to log in every time they visit the site, I'd like to implement a "stay signed in" option, I'm just having trouble figuring out how to do it.

I could simply store the oauth_token and oauth_token_secret in a cookie and simply read the cookie every time someone visits the site. The existence (or absence) of those cookie values will determine whether or not the person is authorized with twitter. Of course, this is a simple approach, and bad things could happen if users decided to mess with the cookie.

Another approach would be to store only the oauth_token in the cookie, and save both the oauth_token and oauth_token_secret in my database. When the user visits, I check for the cookie value and if it's present, I check the database for a matching value and fetch the secret token, but things could still go wrong if the user ever gets ahold of someone else's oauth_token key.

The final option would be to store both the token and token_secret in the database and generate a unique random value, perhaps do some arbitrary operations on it to further obscure it, maybe md5() it, and store THAT value in the cookie and also in the database.

Of course, I really know nothing about this kind of thing, which is why I opted to not write my own user system. Basically I just don't want the user to have to sign in every time (or even to have to click the "Sign in with Twitter" link every time). If they're already signed in and have already approved my application to access their account, I want them to be able to visit the site and have it remember them. What would be the best way to do this?

1条回答
▲ chillily
2楼-- · 2020-07-13 10:10

The "stay logged in" part could be handled by you. You get the user to login via twitter the first time and then set a cookie. In future you check to see if a cookie is set and if so use that to auto-login the user and failing that offer twitter for login.

You don't need to force twitter to do the stay-logged in part.

查看更多
登录 后发表回答