Currently I have a page with a link to OAuth using Instagram. If the login is successful, I am redirected back to the same php page with the user's information. However, if I refresh the page, the user will see the login link again (it's hidden when the user is logged in). I know I should use cookies to save state information, but what should I store in the cookie? If I store the username (only returned with a successful login), would that be unsecure since anyone can modify the cookie on their own computer with any other username and gain access to their account?
If you follow the server side authentication flow, your callback page should receive an access_token in the url, so:
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code with your apps credentials (client id, and redirect uri)... make sure your response type is code. If the user says no, they are redirected to your uri with the error parametercode parameter http://your-redirect-uri?code=CODEPOST request from your backend (using cURL or similar in PHP) off to instagram asking for the token with the parameters code, redirect_uri, 'grant_type=authorization_code', and your client_secret