Cookies can be stolen by directed XSS attacks. Larry
On Mon, Jul 11, 2011 at 3:46 PM, Eran Hammer-Lahav <[email protected]>wrote: > Any cookie? What about a Secure cookie limited to a specific sub-domain? > What are the concerns about cookies? I think this would be helpful to > discuss. > > EHL > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of Marius Scurtescu > > Sent: Monday, July 11, 2011 3:15 PM > > To: Doug Tangren > > Cc: [email protected] > > Subject: Re: [OAUTH-WG] best practices for storing access token for > implicit > > clients > > > > On Thu, Jun 30, 2011 at 12:45 PM, Doug Tangren <[email protected]> > > wrote: > > > What is the current recommended practice of storing an implicit > > > client's access_tokens? LocalStorage, im mem and re-request auth on > > > every browser refresh? > > > > Both sound reasonable. I think most important is how NOT to store it, in > a > > cookie. > > > > Marius > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
