[security-dev] input on bearer tokens and cookies
Bill Burke
bburke at redhat.com
Tue Dec 11 12:16:06 EST 2012
I'm looking for some input.
For the OAuth SSO protocol I'm working on, I'm thinking of storing the
bearer token within a "secure" cookie and verifying the bearer token
each HTTP request (for browser-based apps only). The upside to this is
that you can establish a stateless SSO between a set of load-balanced
servers. Downside is it takes about 1-2ms on my box to both parse and
verify the cookie. TO much overhead? Should I store the unmarshaled
token in the HTTP session instead?
Any other thoughts on bearer tokens stored in cookies?
Thanks
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list