[security-dev] input on bearer tokens and cookies
Anil Saldhana
Anil.Saldhana at redhat.com
Tue Dec 11 14:33:09 EST 2012
The cookies may be the easiest for you. An option with HTML5 is
the localstorage. In this case, the JS calls from the browser have
to save/restore the token that identifies session token/bearer token
and send it as part of the call.
On 12/11/2012 11:16 AM, Bill Burke wrote:
> I'm looking for some input.
>
> For the OAuth SSO protocol I'm working on, I'm thinking of storing the
> bearer token within a "secure" cookie and verifying the bearer token
> each HTTP request (for browser-based apps only). The upside to this is
> that you can establish a stateless SSO between a set of load-balanced
> servers. Downside is it takes about 1-2ms on my box to both parse and
> verify the cookie. TO much overhead? Should I store the unmarshaled
> token in the HTTP session instead?
>
> Any other thoughts on bearer tokens stored in cookies?
>
> Thanks
>
> Bill
>
More information about the security-dev
mailing list