

Quick and simple PHP Twitter login for your site, ideal for your weekend project - makethetick
https://github.com/deanbarrow/Twitter-PHP-Login

======
nbpoole
Security note: Check out the following lines, taken from the PHP API client
used by this application ([https://github.com/jmathai/twitter-
async/blob/master/EpiOAut...](https://github.com/jmathai/twitter-
async/blob/master/EpiOAuth.php#L173)):

    
    
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
    

Those lines disable certificate verification: if I can intercept the
connection between this client and Twitter, I can present my own, self-signed
certificate and the client will still send requests as if I were twitter.com.
This completely defeats the purpose of using SSL for connections.

~~~
jmathai
Not sure if you've had a somewhat popular library on Github but those two
lines of code save me lots and lots of issues being opened because the library
didn't work out of the box.

Perhaps I could add an optional setting to include those lines of code...but
that's the beauty of open source -- so can you :).

~~~
nbpoole
Fair enough: you'll have a pull request shortly. ;-)

Edit: Pull request created. <https://github.com/jmathai/twitter-
async/pull/108>

~~~
jmathai
Did not expect that :). Thanks, will pull and merge.

------
pavel_lishin
One big problem I see right off the bat: the twitterLogin() function
completely breaks any page I embed this in, since if a visitor isn't logged
in, all they see is a link to twitter, and then _nothing_ since you're calling
exit().

Another nitpick: if I'm logged in, and twitterCallback() is called, why is it
redirecting me to / ? Perhaps my site is nested deep within a directory
structure.

~~~
makethetick
The script is just a basic login system, designed to be adapted to your needs
since every application will differ.

I might add a login button function that will allow you to put the login
button anywhere without protecting the page at the same time.

------
there

          echo "<p>You are logged in as ".$_SESSION['logged_in'].".</p>";
    

_shiver_

~~~
pavel_lishin
Hey, maybe we should be giving this guy constructive criticism instead of
shivering.

~~~
zackattack
The fact that people are shivering in reaction is actually very useful for
potential users of this software, though I agree that it's not constructive
for the author.

~~~
pavel_lishin
Fair enough on both points - but regarding the first one, will those users
actually read these comments? Not particularly likely, I don't think.

