[security-dev] input on bearer tokens and cookies

Anil Saldhana Anil.Saldhana at redhat.com
Wed Dec 12 15:43:16 EST 2012

Bill, if you look at RFC 6750 (http://tools.ietf.org/html/rfc6750), they 
have a recommendation:
  Don't store bearer tokens in cookies:  Implementations MUST NOT store
  bearer tokens within cookies that can be sent in the clear (which
  is the default transmission mode for cookies).  Implementations
  that do store bearer tokens in cookies MUST take precautions
  against cross-site request forgery.

I guess we can mitigate the situation if using cookies, with:
a) Use of TLS/SSL (anyway mandatory for bearer tokens).
b) Short Lived tokens. (minimize replay)

On 12/11/2012 12:36 PM, Bill Burke wrote:
> I guess this could be fixed with cookie paths?
> On 12/11/2012 12:55 PM, Bill Burke wrote:
>> Meh, i guess the biggest problem would be that all applications running
>> on the domain would be able to see the cookie.
>> On 12/11/2012 12:16 PM, Bill Burke wrote:
>>> I'm looking for some input.
>>> For the OAuth SSO protocol I'm working on, I'm thinking of storing the
>>> bearer token within a "secure" cookie and verifying the bearer token
>>> each HTTP request (for browser-based apps only).  The upside to this is
>>> that you can establish a stateless SSO between a set of load-balanced
>>> servers.  Downside is it takes about 1-2ms on my box to both parse and
>>> verify the cookie.  TO much overhead?  Should I store the unmarshaled
>>> token in the HTTP session instead?
>>> Any other thoughts on bearer tokens stored in cookies?
>>> Thanks
>>> Bill

More information about the security-dev mailing list