Re: [security-dev] input on bearer tokens and cookies
The cookies may be the easiest for you. An option with HTML5 is
the localstorage. In this case, the JS calls from the browser have
to save/restore the token that identifies session token/bearer token
and send it as part of the call.
On 12/11/2012 11:16 AM, Bill Burke wrote:
I'm looking for some input.
For the OAuth SSO protocol I'm working on, I'm thinking of storing the
bearer token within a "secure" cookie and verifying the bearer token
each HTTP request (for browser-based apps only). The upside to this is
that you can establish a stateless SSO between a set of load-balanced
servers. Downside is it takes about 1-2ms on my box to both parse and
verify the cookie. TO much overhead? Should I store the unmarshaled
token in the HTTP session instead?
Any other thoughts on bearer tokens stored in cookies?
Thanks
Bill