Correct way to safely store token/secret/etc from OAuth?

I just started looking into OAuth and it looks really nice. I have oauth with twitter working in ruby right now.

Now I'm wondering, what is the recommended safe way to store the responses in my local database and session?

• What should I store?
• Where should I store it?

This example twitter-oauth-开发者_JAVA百科with-rails app stores a user.id in the session, and the user table has the token and secret. But that seems like it'd be really easy to hack and get the secret by just passing in a slew of test user ids, no?

The tokens are useless without the consumer key/secret of your twitter app as they're not the same for every app but depend on the consumer key/secret.

To get a session variable you would have to guess the session id which is not that easy to accomplish.

If you want you can store those tokens in the session but I would suggest storing the user tokens in your database with all the other user data so your session contains only the data to identify the user in your system.

Update: I'm not sure if I understand correctly what you mean by accessing the tokens from the database by guessing an ID.

Do you have any authentication in place so that the users have to enter some credentials to access their data? You should store the tokens the same way you store the users email address or password and only authenticated users should be able to access it.

If you're developing a web application you can add a hidden field to the form the user submits, with some hash-like value calculated with the user.id so evil guys cannot change that value and just "guess" for an access token