locked
Cookies and a Security Problem RRS feed

  • Question

  • User-204634223 posted
    We currently have two non-ASP.NET browser-based applications available on Pocket PCs that use forms authentication i.e. the applications always prompt for a UserID and Password. Some upcoming ASP.NET mobile applications will use Windows authentication i.e. where the user is prompted for their domain credentials and these determine what applications they can use. Windows authentication appears to store these credentials in a cookie, if cookies are enabled. This means that, as long as that cookie remains on the device, any user of the device will be able to access applications using the stored credentials. I haven't quite worked out at what point the cookie is deleted. However the user is most likely to leave the browser in a running state when he uses the X to dismiss the Pocket Internet Explorer window. We had planned to have cookies disabled on the Pocket PC but one of the two original applications uses cookies and so we can't. Is there a recommended way of dealing with this problem?
    Monday, February 21, 2005 9:39 AM

All replies

  • User-204634223 posted
    I think that I’ve found a way around this problem, so that we can have cookies available for other applications. It involves setting the cookieless attribute of the sessionstate element within the web.config file equal to ‘true’ for any applications that use Windows authentication. In other words we disable them in the application rather than on the device. I’ve tested it and it seems to work OK.
    Friday, February 25, 2005 9:49 AM