[security-dev] input on bearer tokens and cookies

[Bill Burke]

I'm looking for some input.

For the OAuth SSO protocol I'm working on, I'm thinking of storing the 
bearer token within a "secure" cookie and verifying the bearer token 
each HTTP request (for browser-based apps only).  The upside to this is 
that you can establish a stateless SSO between a set of load-balanced 
servers.  Downside is it takes about 1-2ms on my box to both parse and 
verify the cookie.  TO much overhead?  Should I store the unmarshaled 
token in the HTTP session instead?

Any other thoughts on bearer tokens stored in cookies?

Thanks

Bill

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com