If I'm building an app to authenticate through Oauth, does it make sense to use cookies for sessions?

This is an open ended question that I was curious what people thought: Does it make sense, when you have an app that uses twitter开发者_如何学编程 Oauth for authentication to set a "Remember Me" cookie? This way, it wouldn't have to hit the Oauth service and could recreate the session if it's been in a set time period?

I hope this is clear. Curious about your thoughts.

It just depends on how long you want to wait before you send users back through the Sign in with Twitter auth flow. If you have cookies last for a long time they don't have repeat the flow as often but if someones steals the cookies they will have access for a longer period of time. On the downside if they log out of Twitter and the cookie expires they then have to authenticate with Twitter. It really depends on what kind of security and token expiration makes sense for your web application.

OAuth has nothing to do with cookies. You should be storing your access token and using it until it expires. The access token expiration is a server controlled process and you must handle a case where you are given HTTP Unauthorized and go get a new access token.

Having a "remember me" functionality in your app is your app logic. You still can control if you want to show Twitter's auth screen to the user every time or not. Just keep in mind that if your expiration timeout is longer than twitter's access token lifespan then you'll have to make end user authenticate again.

It shouldn't matter. When the app uses OAuth, it gets back a token that it should store with your account information. Then, when you come back, it can look up the token and use that for access to your Twitter account.

If you don't have a cookie, you can just log in to the app, and it will have your token stored. If you do, then you can skip that login step. In neither case will you have to log in to Twitter again (until the token expires).