diff --git a/lib/rack/oauth2/server.rb b/lib/rack/oauth2/server.rb
index 20ea62a..51c7812 100644
--- a/lib/rack/oauth2/server.rb
+++ b/lib/rack/oauth2/server.rb
@@ -203,7 +203,7 @@ def get_issuer(identifier)
       # type, no error will result.
       #
       Options = Struct.new(:access_token_path, :authenticator, :assertion_handler, :authorization_types,
-        :authorize_path, :database, :host, :param_authentication, :path, :realm, 
+        :authorize_path, :database, :host, :param_authentication, :cookie_authentication, :path, :realm, 
         :expires_in,:logger, :collection_prefix)
 
       # Global options. This is what we set during configuration (e.g. Rails'
@@ -223,6 +223,7 @@ def initialize(app, options = nil, &authenticator)
         @options.authorize_path ||= "/oauth/authorize"
         @options.authorization_types ||=  %w{code token}
         @options.param_authentication ||= false
+        @options.cookie_authentication ||= false
         @options.collection_prefix ||= "oauth2"
       end
 
@@ -254,11 +255,18 @@ def call(env)
         if request.authorization
           # 5.1.1.  The Authorization Request Header Field
           token = request.credentials if request.oauth?
-        elsif options.param_authentication && !request.GET["oauth_verifier"] # Ignore OAuth 1.0 callbacks
-          # 5.1.2.  URI Query Parameter
-          # 5.1.3.  Form-Encoded Body Parameter
-          token   = request.GET["oauth_token"] || request.POST["oauth_token"]
-          token ||= request.GET['access_token'] || request.POST['access_token']
+        else
+          if options.param_authentication
+            # 5.1.2.  URI Query Parameter
+            # 5.1.3.  Form-Encoded Body Parameter
+            token   = request.GET["oauth_token"] || request.POST["oauth_token"]
+            token ||= request.GET['access_token'] || request.POST['access_token']
+          end
+          
+          if !token && options.cookie_authentication
+            # 5.1.4.  Cookie Value
+            token ||= request.cookies['oauth_token'] || request.cookies['access_token']
+          end
         end
 
         if token
diff --git a/test/oauth/access_token_test.rb b/test/oauth/access_token_test.rb
index 46a763b..afef3d9 100644
--- a/test/oauth/access_token_test.rb
+++ b/test/oauth/access_token_test.rb
@@ -165,6 +165,53 @@ def with_expired_token
         end
       end
     end
+    
+    # 5.1.4.  Cookie Parameter
+    
+    context "cookie parameter" do
+      context "default mode" do
+        setup { 
+          set_cookie "oauth_token=#{@token}"
+          get "/private" 
+        }
+        should_fail_authentication
+      end
+
+      context "enabled" do
+        setup do
+          config.cookie_authentication = true
+        end
+        
+        context "no token" do
+          setup { 
+            clear_cookies
+            get "/private" 
+          }
+          should_fail_authentication
+        end
+
+        context "valid token" do
+          setup { 
+            set_cookie "oauth_token=#{@token}"
+            get "/private" 
+          }
+          should_return_resource "Shhhh"
+        end
+
+        context "invalid token" do
+          setup { 
+            set_cookie "oauth_token=dingdong"
+            get "/private" 
+          }
+          should_fail_authentication :invalid_token
+        end
+        
+        teardown do
+          config.cookie_authentication = false
+        end
+      end
+    end
+    
   end
   
   context "POST" do