[security-dev] input on bearer tokens and cookies

Bill Burke bburke at redhat.com
Wed Dec 12 16:30:29 EST 2012

Hence what I said: "storing the bearer token within a 'secure' cookie". 
  You can set a flag on a cookie to be secure so that the browser will 
only transmit it over an HTTP connection.

I was more concerned about validating and parsing the token with each 
request and how much time it takes.  My tokens are signed and also 
contain permission and identity metadata.

Also, if you require two-way TLS, then, IMO, you can have longer-lived 
bearer tokens.  At least with the token format I'm proposing (idp signed 
tokens that contain callers public key or cert).  Come to think of it, 
maybe I don't want the bearer token to be in the cookie.  1)  You'll 
want the authenticated session to invalidate after an idle timeout and 
2) You don't want a user to be suddenly logged out on an active session.

On 12/12/2012 3:43 PM, Anil Saldhana wrote:
> Bill, if you look at RFC 6750 (http://tools.ietf.org/html/rfc6750), they
> have a recommendation:
> ===============
>    Don't store bearer tokens in cookies:  Implementations MUST NOT store
>    bearer tokens within cookies that can be sent in the clear (which
>    is the default transmission mode for cookies).  Implementations
>    that do store bearer tokens in cookies MUST take precautions
>    against cross-site request forgery.
> ===============
> I guess we can mitigate the situation if using cookies, with:
> a) Use of TLS/SSL (anyway mandatory for bearer tokens).
> b) Short Lived tokens. (minimize replay)
> On 12/11/2012 12:36 PM, Bill Burke wrote:
>> I guess this could be fixed with cookie paths?
>> On 12/11/2012 12:55 PM, Bill Burke wrote:
>>> Meh, i guess the biggest problem would be that all applications running
>>> on the domain would be able to see the cookie.
>>> On 12/11/2012 12:16 PM, Bill Burke wrote:
>>>> I'm looking for some input.
>>>> For the OAuth SSO protocol I'm working on, I'm thinking of storing the
>>>> bearer token within a "secure" cookie and verifying the bearer token
>>>> each HTTP request (for browser-based apps only).  The upside to this is
>>>> that you can establish a stateless SSO between a set of load-balanced
>>>> servers.  Downside is it takes about 1-2ms on my box to both parse and
>>>> verify the cookie.  TO much overhead?  Should I store the unmarshaled
>>>> token in the HTTP session instead?
>>>> Any other thoughts on bearer tokens stored in cookies?
>>>> Thanks
>>>> Bill
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list