[01:38:15] <wm-bb>	 <GergesShamon> I’m not sure if this is the right place to ask, but I have a tool running on Toolforge that uses OAuth 2.0 for Wikimedia authentication. I’m considering storing the refresh token in cookies for up to one month. Are there any potential security risks I should be aware of?
[01:38:16] <wm-bb>	 <GergesShamon> https://github.com/wiki-connect/wikimonitor/pull/40
[01:44:38] <wm-bb>	 <lucaswerkmeister> I think that sounds fine, since the refresh token can only be used together with the client secret (users can't use it on its own to impersonate your tool even if they extract it from the cookie)