From 260380fa1b3d26f9da9df13554fc1bd2e37b8387 Mon Sep 17 00:00:00 2001
From: "J.M" <me@mynetx.net>
Date: Sat, 15 Jun 2013 19:54:54 +0200
Subject: [PATCH] Readme: Fix authentication sample. Fix #23

---
 CHANGELOG |  1 +
 README.md | 28 +++++++++++++++++++---------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index f9b50d6..5a1db62 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ codebird-php - changelog
 + rfe #21 JSON return format
 + Support HTTP proxy replies
 + Validate Twitter SSL certificate
++ #23 Readme: Fix authentication sample
 
 2.3.6 (2013-05-12)
 + Add backslash to stdClass construction, due to namespace
diff --git a/README.md b/README.md
index 1b71289..bdcf6cc 100644
--- a/README.md
+++ b/README.md
@@ -54,34 +54,44 @@ Or you authenticate, like this:
 ```php
 session_start();
 
-if (! isset($_GET['oauth_verifier'])) {
-    // gets a request token
+if (! isset($_SESSION['oauth_token'])) {
+    // get the request token
     $reply = $cb->oauth_requestToken(array(
         'oauth_callback' => 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']
     ));
 
-    // stores it
+    // store the token
     $cb->setToken($reply->oauth_token, $reply->oauth_token_secret);
     $_SESSION['oauth_token'] = $reply->oauth_token;
     $_SESSION['oauth_token_secret'] = $reply->oauth_token_secret;
+    $_SESSION['oauth_verify'] = true;
 
-    // gets the authorize screen URL
+    // redirect to auth website
     $auth_url = $cb->oauth_authorize();
     header('Location: ' . $auth_url);
     die();
 
-} elseif (! isset($_SESSION['oauth_verified'])) {
-    // gets the access token
+} elseif (isset($_GET['oauth_verifier']) && isset($_SESSION['oauth_verify'])) {
+    // verify the token
     $cb->setToken($_SESSION['oauth_token'], $_SESSION['oauth_token_secret']);
+    unset($_SESSION['oauth_verify']);
+
+    // get the access token
     $reply = $cb->oauth_accessToken(array(
         'oauth_verifier' => $_GET['oauth_verifier']
     ));
-    // store the authenticated token, which may be different from the request token (!)
+
+    // store the token (which is different from the request token!)
     $_SESSION['oauth_token'] = $reply->oauth_token;
     $_SESSION['oauth_token_secret'] = $reply->oauth_token_secret;
-    $cb->setToken($_SESSION['oauth_token'], $_SESSION['oauth_token_secret']);
-    $_SESSION['oauth_verified'] = true;
+
+    // send to same URL, without oauth GET parameters
+    header('Location: ' . basename(__FILE__));
+    die();
 }
+
+// assign access token on each page load
+$cb->setToken($_SESSION['oauth_token'], $_SESSION['oauth_token_secret']);
 ```
 
 ### 1.1. Application-only auth