The issue with a cookie is that it might go over the wire in plain-text. If a cookie is set to be Secure (and hence only used over HTTPS) then it should be fine.
Ian On Mon, Jul 11, 2011 at 6:46 PM, Eran Hammer-Lahav <[email protected]> wrote: > Any cookie? What about a Secure cookie limited to a specific sub-domain? What > are the concerns about cookies? I think this would be helpful to discuss. > > EHL > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Marius Scurtescu >> Sent: Monday, July 11, 2011 3:15 PM >> To: Doug Tangren >> Cc: [email protected] >> Subject: Re: [OAUTH-WG] best practices for storing access token for implicit >> clients >> >> On Thu, Jun 30, 2011 at 12:45 PM, Doug Tangren <[email protected]> >> wrote: >> > What is the current recommended practice of storing an implicit >> > client's access_tokens? LocalStorage, im mem and re-request auth on >> > every browser refresh? >> >> Both sound reasonable. I think most important is how NOT to store it, in a >> cookie. >> >> Marius >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- Ian McKellar <http://ian.mckellar.org/> [email protected]: email | jabber | msn ianloic: flickr | aim | yahoo | skype | linkedin | etc. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
