I'm experimenting with a way of knowing the specific twitter identities of my site's users even though they're not logged in. And would like the help of the community to find out how I could reduce the possibility of impersonation.
The main idea is that a user comes to the main page, fills a form, and clicks on a "tweet this" button as a way to submit the form. That opens up a popup where the user sees a pre-filled message: "I just submitted this form" and tweets it. This popup resides on twitter.com. No oauth is involved here. When the tweet is done, twitter sends back the id of the tweet that was just created to a javascript callback function on the web page. This javascript function ajax POSTs the form fields as well as the tweet id to a handler on the server.
The server then fetches the twitter information of that tweet including the user info and saves the form info with a foreign key to the user.
What I want to avoid is for an impersonator to come to the page, fill up the form with junk, and manually POST the form including a tweet id to an unrelated tweet from another user.
Django, which I'm using, has something called CSRF tokens to avoid impersonators from doing POST calls without loading the page. But I'm not sure if this would also prevent users who load the page (and see the csrf token) to fake the POST.
The main thing I want to avoid is for people to associate a twitter id that is not theirs with a for that they post.
Looking forward to your suggestions of some creative ways to solve this or to poke holes at my thinking.
