Are oauth_token and oauth_verifier sufficient parameters for persistent isLoggedIn?

Question

I'm learning to use the twitter API for the first time. I want to build a website that allows users to post messages to their twitter, facebook and linkedin account. They will need to sign up first via the website's registration/authentication system, which is in not related to twitter, facebook and linkedin. Once logged in, they should be able to synchronize their twitter, facebook and linked in account with my website.

I'm starting development with twitter first. I followed this tutorial here: http://www.1stwebdesigner.com/tutorials/twitter-app-oauth-php/

After authenticating, twitter sends me to this url.

http://mywebsite.com/?oauth_token=o7gIh4x8xAs1mcms6OKthLoLecL99WVbky2Gu6o4no&oauth_verifier=83Ip3jrMVDvnbIY3RXS5DH1FUZrWAHddwApnOBfm4

The first time this page loads, it properly retrieves all the authenticated user info. But when I refresh the page, the all the user info disappears.

My question is:

Are the query string parameters oauth_token=o7gIh4x8xAs1mcms6OKthLoLecL99WVbky2Gu6o4no&oauth_verifier=83Ip3jrMVDvnbIY3RXS5DH1FUZrWAHddwApnOBfm4 all that's needed to gain write access to a user's twitter account? Can I store these tokens in my database so that the user never has to be prompted to sign into twitter again?

Answer 1

You had better keep oauth_token (and oauth_token_secret too) in your database since you will use them for all the authenticated requests you will do for the authenticated user. As for oauth_verifier, it is a parameter only used during the OAuth Authentication flow. So you can get rid of it once you have got the final tokens.

For further details (and to ensure what you are doing is right), see the corresponding "Sign in with Twitter" page on Twitter Developers website : https://dev.twitter.com/docs/auth/implementing-sign-twitter.