[security-dev] input on bearer tokens and cookies

Bruno Oliveira bruno at abstractj.org
Wed Dec 12 09:30:56 EST 2012


Sorry Anil, but on HTML5 local storage is not an option, because can be easily hacked. Maybe session storage, but on AeroGear we don't have plans to store sensitive date on local storage. 

I'd rather to go with Bill's approach. 


-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile



On Tuesday, December 11, 2012 at 5:33 PM, Anil Saldhana wrote:

> The cookies may be the easiest for you. An option with HTML5 is
> the localstorage. In this case, the JS calls from the browser have
> to save/restore the token that identifies session token/bearer token
> and send it as part of the call.
> 
> On 12/11/2012 11:16 AM, Bill Burke wrote:
> > I'm looking for some input.
> > 
> > For the OAuth SSO protocol I'm working on, I'm thinking of storing the
> > bearer token within a "secure" cookie and verifying the bearer token
> > each HTTP request (for browser-based apps only). The upside to this is
> > that you can establish a stateless SSO between a set of load-balanced
> > servers. Downside is it takes about 1-2ms on my box to both parse and
> > verify the cookie. TO much overhead? Should I store the unmarshaled
> > token in the HTTP session instead?
> > 
> > Any other thoughts on bearer tokens stored in cookies?
> > 
> > Thanks
> > 
> > Bill
> 
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org (mailto:security-dev at lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/security-dev





More information about the security-dev mailing list