[security-dev] input on bearer tokens and cookies

Anil Saldhana Anil.Saldhana at redhat.com
Wed Dec 12 17:47:16 EST 2012


Bruno - I have been thinking of the possible ways by which Private Keys 
are stored securely by the JavaScript applications for use in JSON 
Encryption (for example).

Do you know how JS libraries such as DOMCrypt and Crypto.js  deal with 
storage of private keys?

On 12/12/2012 08:30 AM, Bruno Oliveira wrote:
> Sorry Anil, but on HTML5 local storage is not an option, because can be easily hacked. Maybe session storage, but on AeroGear we don't have plans to store sensitive date on local storage.
>
> I'd rather to go with Bill's approach.
>
>
> -- "The measure of a man is what he does with power" - Plato - 
> @abstractj - Volenti Nihil Difficile On Tuesday, December 11, 2012 at 
> 5:33 PM, Anil Saldhana wrote:
>> >The cookies may be the easiest for you. An option with HTML5 is
>> >the localstorage. In this case, the JS calls from the browser have
>> >to save/restore the token that identifies session token/bearer token
>> >and send it as part of the call.
>> >
>> >On 12/11/2012 11:16 AM, Bill Burke wrote:
>>> > >I'm looking for some input.
>>> > >
>>> > >For the OAuth SSO protocol I'm working on, I'm thinking of storing the
>>> > >bearer token within a "secure" cookie and verifying the bearer token
>>> > >each HTTP request (for browser-based apps only). The upside to this is
>>> > >that you can establish a stateless SSO between a set of load-balanced
>>> > >servers. Downside is it takes about 1-2ms on my box to both parse and
>>> > >verify the cookie. TO much overhead? Should I store the unmarshaled
>>> > >token in the HTTP session instead?
>>> > >
>>> > >Any other thoughts on bearer tokens stored in cookies?
>>> > >
>>> > >Thanks
>>> > >
>>> > >Bill
>> >
>> >_______________________________________________
>> >security-dev mailing list
>> >security-dev at lists.jboss.org  (mailto:security-dev at lists.jboss.org)
>> >https://lists.jboss.org/mailman/listinfo/security-dev
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20121212/e4341a0f/attachment.html 


More information about the security-dev mailing list