[security-dev] input on bearer tokens and cookies

Bill Burke bburke at redhat.com
Tue Dec 11 12:55:16 EST 2012

Meh, i guess the biggest problem would be that all applications running 
on the domain would be able to see the cookie.

On 12/11/2012 12:16 PM, Bill Burke wrote:
> I'm looking for some input.
> For the OAuth SSO protocol I'm working on, I'm thinking of storing the
> bearer token within a "secure" cookie and verifying the bearer token
> each HTTP request (for browser-based apps only).  The upside to this is
> that you can establish a stateless SSO between a set of load-balanced
> servers.  Downside is it takes about 1-2ms on my box to both parse and
> verify the cookie.  TO much overhead?  Should I store the unmarshaled
> token in the HTTP session instead?
> Any other thoughts on bearer tokens stored in cookies?
> Thanks
> Bill

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list