Twitter Authentication and Session Login
Goal
Have a working "Sign in with Twitter" function that seamlessly logs the user in and keeps them logged in with a session token. The access token and access token secret will both be inside a JSON object as follows:
{
"access_token": "012345679abc",
"access_token_secret": "abc0123456789"
}
The same JSON object will be converted to a string and be encoded in Base64. After that, it will be stored in the cookies with the property twitter_session_token
.
Alongside the session token, the Twitter user ID will be stored in the cookies as well with the property twitter_user_id
. Account creation is not planned for this milestone. The User ID will NOT be encoded in any way.
Access tokens and fresh cookies
There's no real issue about simply storing the access token in the cookies themselves — considering the application consumer key and secret are not public, and therefore you can't do much with them. The encoding is done for convenience (only one cookie property is needed) and for a small added dose of security and professionalism. Security geeks could freak out with their tokens in their cookies (even with HTTPS on) and nobody wants to worry about those issues.