Re: [OAUTH-WG] best practices for storing access token for implicit clients
Ian McKellar <ian@mckellar.org> Mon, 11 July 2011 23:09 UTC
Return-Path: <ian@mckellar.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E05F721F8D3A for <oauth@ietfa.amsl.com>; Mon, 11 Jul 2011 16:09:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0rvOqUzoUWo for <oauth@ietfa.amsl.com>; Mon, 11 Jul 2011 16:09:06 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2652121F8D23 for <oauth@ietf.org>; Mon, 11 Jul 2011 16:09:05 -0700 (PDT)
Received: by wyj26 with SMTP id 26so3380151wyj.31 for <oauth@ietf.org>; Mon, 11 Jul 2011 16:09:05 -0700 (PDT)
Received: by 10.216.9.219 with SMTP id 69mr4470042wet.72.1310425745114; Mon, 11 Jul 2011 16:09:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.73.137 with HTTP; Mon, 11 Jul 2011 16:08:45 -0700 (PDT)
In-Reply-To: <CAKJ-YRbXQrTDRRsPbo+O3EVJH8CJAj1Cfn8ArT+qboEHC_GuFw@mail.gmail.com>
References: <BANLkTimU=RGHpHJTb97xvnpaqxqbc_qLhw@mail.gmail.com> <CAGdjJpLBg7-998tZm1uYQ2brsgfc7kyEr7VdF4Rd6ns+CAQGmA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234501D4A042D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAKJ-YRbXQrTDRRsPbo+O3EVJH8CJAj1Cfn8ArT+qboEHC_GuFw@mail.gmail.com>
From: Ian McKellar <ian@mckellar.org>
Date: Mon, 11 Jul 2011 19:08:45 -0400
Message-ID: <CAKMDUCaHUZjeGxBqwSht8wLAtuZAC-P+3LogyGAbYLhV9qUPZw@mail.gmail.com>
To: Larry Suto <larry.suto@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for storing access token for implicit clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2011 23:09:07 -0000
Can't LocalStorage etc be stolen with XSS too? If an attacker gets their JS running on the page then the game is up. Ian On Mon, Jul 11, 2011 at 7:06 PM, Larry Suto <larry.suto@gmail.com> wrote: > Cookies can be stolen by directed XSS attacks. > > Larry > > On Mon, Jul 11, 2011 at 3:46 PM, Eran Hammer-Lahav <eran@hueniverse.com> > wrote: >> >> Any cookie? What about a Secure cookie limited to a specific sub-domain? >> What are the concerns about cookies? I think this would be helpful to >> discuss. >> >> EHL >> >> > -----Original Message----- >> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> > Of Marius Scurtescu >> > Sent: Monday, July 11, 2011 3:15 PM >> > To: Doug Tangren >> > Cc: oauth@ietf.org >> > Subject: Re: [OAUTH-WG] best practices for storing access token for >> > implicit >> > clients >> > >> > On Thu, Jun 30, 2011 at 12:45 PM, Doug Tangren <d.tangren@gmail.com> >> > wrote: >> > > What is the current recommended practice of storing an implicit >> > > client's access_tokens? LocalStorage, im mem and re-request auth on >> > > every browser refresh? >> > >> > Both sound reasonable. I think most important is how NOT to store it, in >> > a >> > cookie. >> > >> > Marius >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Ian McKellar <http://ian.mckellar.org/> ian@mckellar.org: email | jabber | msn ianloic: flickr | aim | yahoo | skype | linkedin | etc.
- [OAUTH-WG] best practices for storing access toke… Doug Tangren
- [OAUTH-WG] best practices for storing access toke… Doug Tangren
- Re: [OAUTH-WG] best practices for storing access … Marius Scurtescu
- Re: [OAUTH-WG] best practices for storing access … Eran Hammer-Lahav
- Re: [OAUTH-WG] best practices for storing access … Larry Suto
- Re: [OAUTH-WG] best practices for storing access … Ian McKellar
- Re: [OAUTH-WG] best practices for storing access … Ian McKellar
- Re: [OAUTH-WG] best practices for storing access … Doug Tangren