Re: [security-dev] input on bearer tokens and cookies

Bill, if you look at RFC 6750 (http://tools.ietf.org/html/rfc6750), they have a recommendation: =============== Don't store bearer tokens in cookies: Implementations MUST NOT store bearer tokens within cookies that can be sent in the clear (which is the default transmission mode for cookies). Implementations that do store bearer tokens in cookies MUST take precautions against cross-site request forgery. =============== I guess we can mitigate the situation if using cookies, with: a) Use of TLS/SSL (anyway mandatory for bearer tokens). b) Short Lived tokens. (minimize replay) On 12/11/2012 12:36 PM, Bill Burke wrote: > I guess this could be fixed with cookie paths? > > On 12/11/2012 12:55 PM, Bill Burke wrote: >> Meh, i guess the biggest problem would be that all applications running >> on the domain would be able to see the cookie. >> >> On 12/11/2012 12:16 PM, Bill Burke wrote: >>> I'm looking for some input. >>> >>> For the OAuth SSO protocol I'm working on, I'm thinking of storing the >>> bearer token within a "secure" cookie and verifying the bearer token >>> each HTTP request (for browser-based apps only). The upside to this is >>> that you can establish a stateless SSO between a set of load-balanced >>> servers. Downside is it takes about 1-2ms on my box to both parse and >>> verify the cookie. TO much overhead? Should I store the unmarshaled >>> token in the HTTP session instead? >>> >>> Any other thoughts on bearer tokens stored in cookies? >>> >>> Thanks >>> >>> Bill >>> _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev