[security-dev] input on bearer tokens and cookies

Bill Burke bburke at redhat.com
Tue Dec 11 12:16:06 EST 2012

I'm looking for some input.

For the OAuth SSO protocol I'm working on, I'm thinking of storing the 
bearer token within a "secure" cookie and verifying the bearer token 
each HTTP request (for browser-based apps only).  The upside to this is 
that you can establish a stateless SSO between a set of load-balanced 
servers.  Downside is it takes about 1-2ms on my box to both parse and 
verify the cookie.  TO much overhead?  Should I store the unmarshaled 
token in the HTTP session instead?

Any other thoughts on bearer tokens stored in cookies?



Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list