The issue with a cookie is that it might go over the wire in plain-text. If a cookie is set to be Secure (and hence only used over HTTPS) then it should be fine.
Ian On Mon, Jul 11, 2011 at 6:46 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > Any cookie? What about a Secure cookie limited to a specific sub-domain? What > are the concerns about cookies? I think this would be helpful to discuss. > > EHL > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Marius Scurtescu >> Sent: Monday, July 11, 2011 3:15 PM >> To: Doug Tangren >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] best practices for storing access token for implicit >> clients >> >> On Thu, Jun 30, 2011 at 12:45 PM, Doug Tangren <d.tang...@gmail.com> >> wrote: >> > What is the current recommended practice of storing an implicit >> > client's access_tokens? LocalStorage, im mem and re-request auth on >> > every browser refresh? >> >> Both sound reasonable. I think most important is how NOT to store it, in a >> cookie. >> >> Marius >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Ian McKellar <http://ian.mckellar.org/> i...@mckellar.org: email | jabber | msn ianloic: flickr | aim | yahoo | skype | linkedin | etc. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
