Security note: Check out the following lines, taken from the PHP API client used by this application (<a href="https://github.com/jmathai/twitter-async/blob/master/EpiOAuth.php#L173" rel="nofollow">https://github.com/jmathai/twitter-async/blob/master/EpiOAut...</a>):<p><pre><code> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
</code></pre>
Those lines disable certificate verification: if I can intercept the connection between this client and Twitter, I can present my own, self-signed certificate and the client will still send requests as if I were twitter.com. This completely defeats the purpose of using SSL for connections.
One big problem I see right off the bat: the twitterLogin() function completely breaks any page I embed this in, since if a visitor isn't logged in, all they see is a link to twitter, and then <i>nothing</i> since you're calling exit().<p>Another nitpick: if I'm logged in, and twitterCallback() is called, why is it redirecting me to / ? Perhaps my site is nested deep within a directory structure.