django & facebook: security & design for a facebook webapp that performs a third party login on behalf of the user

Question

I\'m writing a Facebook canvas webapp that performs a login (using urllib) to a third party website and performs actions on behalf of the user. This means I have 2 accounts; the

Answer 1

You might as well encrypt it using a key on the server. If anyone gains access to your server they will have everything they need to retrieve the key even if you're getting it from Facebook.

I think the best you can do is to store the key in a location that isn't available to your webserver, but that is available to your script. At least make sure you don't store the key in the database.

Whatever you do beyond that would just be security through obscurity. The key here is to keep your server secure so that no one gains access to it.