cURL / Cookie Management + SSL

[Ray Grieselhuber]

I've searched through these docs and the wiki quite a bit and I'm a
little stuck, so I'm hoping someone here can help.

I'd like to take a user's username / password, authenticate them once,
discard their password and rely only on their _twitter_session cookie
for all future posts / etc. I know this is not officially supported
but until OAuth support is built into Twitter, it sounds like the
safest means for third-party apps to integrate with Twitter. The other
requirement I have is I want to ensure that all communication with
Twitter is sent via SSL.

Specific questions:

1. Does anyone have a cURL snippet (perhaps two snippets) that, first,
authenticates a user and stores the cookie returned and, second, uses
the stored cookie to post / send direct messages / follow, etc.

(As an aside, the best resource I've found for this purpose is this
page: http://www.sakana.fr/blog/2007/03/18/scripting-twitter-with-curl/
but is seems that it is somewhat out of date.)

2. There seems to be some confusion (at least from a user / third-
party developer perspective as to how complete SSL support is. Is
every API command available over SSL? Would this change the above
snippets at all (aside from the obvious difference in URL (http ->
https)?

Thanks in advance,

Ray Grieselhuber
http://www.gridjit.com

[Cameron Kaiser]

> 2. There seems to be some confusion (at least from a user / third-
> party developer perspective as to how complete SSL support is. Is
> every API command available over SSL? Would this change the above
> snippets at all (aside from the obvious difference in URL (http ->
> https)?

I don't know about the authentication question, but it seems to me that
if the intent would be to use SSL for most/all operations, that it would
put an unwelcome load on the Twitter backend.

--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- Put your Nose to the Grindstone! -- Plastic Surgeons-Toolmakers Union Ltd. -

[Ray Grieselhuber]

I guess it would be nice to know the Twitter team's plans for this
sort of thing. Sooner than later, all users (whether they are on 3rd
party clients or Twitter apps) are going to want secure transmissions.
I guess if passwords aren't being sent it's not as big of a deal
though - which brings me back to my other question about session
cookie management.

On Jan 27, 8:54 pm, Cameron Kaiser <spec...@floodgap.com> wrote:
> > 2. There seems to be some confusion (at least from a user / third-
> > party developer perspective as to how complete SSL support is. Is
> > every API command available over SSL? Would this change the above
> > snippets at all (aside from the obvious difference in URL (http ->
> > https)?
>
> I don't know about the authentication question, but it seems to me that
> if the intent would be to use SSL for most/all operations, that it would
> put an unwelcome load on the Twitter backend.
>
> --
> ------------------------------------ personal:http://www.cameronkaiser.com/--

> Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com

[Ed Finkler]

On Jan 27, 2008 11:54 PM, Cameron Kaiser <spe...@floodgap.com> wrote:

> I don't know about the authentication question, but it seems to me that
> if the intent would be to use SSL for most/all operations, that it would
> put an unwelcome load on the Twitter backend.

I use SSL for everything in Spaz, and I think I indicated my intention
to Alex. He didn't mention that this was a Bad Thing.

--
--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron

[Dossy Shiobara]

On 2008.01.27, Ray Grieselhuber <rgries...@gmail.com> wrote:
> I'd like to take a user's username / password, authenticate them once,
> discard their password and rely only on their _twitter_session cookie
> for all future posts / etc.

This might work ... until the session expires.

> The other requirement I have is I want to ensure that all
> communication with Twitter is sent via SSL.

Is anyone's Twitter data really that sensitive? I mean, seriously?

-- Dossy

--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)

[Ray Grieselhuber]

For me, as a third party app developer, it's less about the inherent
sensitivity of the data (and it's true, I'm mainly concerned about
passwords) and more about the fallout that would happen to my app if
somebody grabbed data between my app and Twitter.

On Jan 28, 5:00 am, Dossy Shiobara <do...@panoptic.com> wrote:

[Ed Finkler]

On Jan 28, 2008 8:00 AM, Dossy Shiobara <do...@panoptic.com> wrote:

> Is anyone's Twitter data really that sensitive? I mean, seriously?

Passwords are sent plaintext without ssl encryption. Also consider
protected updates, and apps like Remember The Milk.

[Ray Grieselhuber]

Right. I think these are valid concerns.

Anyone out there have experience making this work? (Authenticating
with the session cookie and, ideally, doing it over SSL?)

On Jan 28, 9:34 am, "Ed Finkler" <funkat...@gmail.com> wrote:
> On Jan 28, 2008 8:00 AM, Dossy Shiobara <do...@panoptic.com> wrote:
>
> > Is anyone's Twitter data really that sensitive? I mean, seriously?
>
> Passwords are sent plaintext without ssl encryption. Also consider
> protected updates, and apps like Remember The Milk.
>
> --
> --

> Ed Finklerhttp://funkatron.com

[Alex Payne]

Every API command is available over SSL. The long-term solution to
some authentication security concerns will be OAuth, which will end
the need to send a username and password with every request. OAuth
will be available over HTTP and HTTPS when our implementation is
finalized.

--
Alex Payne
http://twitter.com/al3x