Re: [security-dev] input on bearer tokens and cookies

I'm looking for some input. For the OAuth SSO protocol I'm working on, I'm thinking of storing the bearer token within a "secure" cookie and verifying the bearer token each HTTP request (for browser-based apps only). The upside to this is that you can establish a stateless SSO between a set of load-balanced servers. Downside is it takes about 1-2ms on my box to both parse and verify the cookie. TO much overhead? Should I store the unmarshaled token in the HTTP session instead? Any other thoughts on bearer tokens stored in cookies? Thanks Bill