Save user information

I need to store the information to get a new access_token in a $_SESSION[’’]. If I encrypt the session containing the refresh_token. Would this be a problem? Would hacking information such as client_secret or client_id be a problem?

If it’s encrypt’ed how do you use it? Can’t use the token if it’s encrypted?

Under normal operation a $_SESSION should only be returned to the user that own’s it.

Since a PHP session only stores a Session ID on the users computer that matches to the session data stored wherever on the server.

If your concrned is someone hacking the information they’ll just take your DB and grab the tokens from there. The Encryptiong doesn’t help when it needs to be reveresable to read the true value.

but if someone with bad intentions found them what could they do? I store the refresh_token in a session but it is the only one, the secret_client is stored in a php scipt.

The refresh token is used with the client secret to make a new access token for that user.

If they broken into your server, then they have both of these from looking in the database/wherever sessiosn are stored, and the files containting the secret…

Both need to be stored (and if encrypted reversabley encrypted)

You wouldn’t normally store a refresh token in session, since a session doesn’t last forever, and conceiveable you’d want to store the refresh token for usage until the user unlinks your application. So it doesn’t make sense to have the refresh token in session.

Yes, because the session will expire one month after its creation. I think it will be safer in a session than in a database or in a cookie

the session will expire up to one month after its creation.

fixed it

The session could be lost of die way before that. Since a session relies on a client side cookie.

If you only want to keep user tokens for up to a month then you should be using implicit auth which will generate a token good for ~60 days and doesn’t provide a refresh token.

The whole point of a refresh_token is you store it in a database forever. Not for one month.

How do I get this 60 day token? How do I know if this token has expired?

An implicit token, last I checked was 60 days ish, the duration can and will change

Implicit is documented here

To check token validity call which will also give you the time left on a given token

1 Like

Thank you very much !!

I don’t know why but I am asked to send this line but it only returns the normal code and not a token.

    ?client_id=<your client ID>
    &redirect_uri=<your registered redirect URI>
    &scope=<space-separated list of scopes>

Tha is a REDIRECT not a fetch

Create a <a href="">login</a> with that URL

Example project: Twitch Implicit Auth Example

yes but the site return that

GET describes the protocol to be used.

The Link doesn’t start with GET

Please refer to my example

thank you very much, i just have to see how to get the token when there is a # and not a ? between the url of the page and the information that i send back twitch

With javascript on the page

        if (document.location.hash && document.location.hash != '') {
            var parsedHash = new URLSearchParams(window.location.hash.substr(1));
            if (parsedHash.get('access_token')) {
                var access_token = parsedHash.get('access_token');
                document.getElementById('access_token').textContent = 'Your Access Key from the #url: ' + access_token;

From the example I linked to

Once you have it in a JS var you can do what you want with it

it is not possible to retrieve values using php?

You would have to use javascript to capture the token from the URL, and then pass that token to your server.

Generally speaking implicit auth is for use when you don’t have a server, and with a server you would generally use “regular” oAuth, which gives you a token thats (usually) valid for four hours, but it’s gives you a refresh token that you can use to generate a new token.

Which is the method you probably started with but you were trying to store the refresh token in session which doesn’t make sense, since sessions are not reliable to store long running/reusable data such as a refresh token

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.