Cookies can be stolen by directed XSS attacks. Larry
On Mon, Jul 11, 2011 at 3:46 PM, Eran Hammer-Lahav <e...@hueniverse.com>wrote: > Any cookie? What about a Secure cookie limited to a specific sub-domain? > What are the concerns about cookies? I think this would be helpful to > discuss. > > EHL > > > -----Original Message----- > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > > Of Marius Scurtescu > > Sent: Monday, July 11, 2011 3:15 PM > > To: Doug Tangren > > Cc: oauth@ietf.org > > Subject: Re: [OAUTH-WG] best practices for storing access token for > implicit > > clients > > > > On Thu, Jun 30, 2011 at 12:45 PM, Doug Tangren <d.tang...@gmail.com> > > wrote: > > > What is the current recommended practice of storing an implicit > > > client's access_tokens? LocalStorage, im mem and re-request auth on > > > every browser refresh? > > > > Both sound reasonable. I think most important is how NOT to store it, in > a > > cookie. > > > > Marius > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
