Most sites instruct the access token and access token secret obtained via the Twitter API to be stored in $_SESSION.
On the other hand, however, we also see many sites that say "$_SESSION should not store sensitive information (credentials, etc.) because of the risk of XSS (cross-site scripting).
Is this a good way to do it?
$_SESSION[ 'oauth_token' ] = $reply->oauth_token; $_SESSION[ 'oauth_token_secret' ] = $reply->oauth_token_secret;Quote from https://www.wabiapp.com/PronamaStudy/php/php_twitter_auth.html