[security-dev] input on bearer tokens and cookies
Bill Burke
bburke at redhat.com
Tue Dec 11 13:36:37 EST 2012
I guess this could be fixed with cookie paths?
On 12/11/2012 12:55 PM, Bill Burke wrote:
> Meh, i guess the biggest problem would be that all applications running
> on the domain would be able to see the cookie.
>
> On 12/11/2012 12:16 PM, Bill Burke wrote:
>> I'm looking for some input.
>>
>> For the OAuth SSO protocol I'm working on, I'm thinking of storing the
>> bearer token within a "secure" cookie and verifying the bearer token
>> each HTTP request (for browser-based apps only). The upside to this is
>> that you can establish a stateless SSO between a set of load-balanced
>> servers. Downside is it takes about 1-2ms on my box to both parse and
>> verify the cookie. TO much overhead? Should I store the unmarshaled
>> token in the HTTP session instead?
>>
>> Any other thoughts on bearer tokens stored in cookies?
>>
>> Thanks
>>
>> Bill
>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list