Single Sign-On and HTTP Cookies in AIR Applications

[3-Jan-11: Please see More on sharing HTTP cookies with AIR applications for an important follow-on to this post.]

Consistent with our philosophy that an AIR applications should behave like any other application on your device, AIR leverages the underlying operating system HTTP stack when making HTTP requests. A while back, I write about how this enables the use of OS facilities TLS client authentication.

Sharing the system HTTP stack also enables the use of HTTP cookie-based single sign-on mechanisms across both multiple applications and between AIR applications and the users browser. Assuming all parties use the shared HTTP stack, this will work by default. AIR applications can individually disable managing cookies in this way via URLRequestDefaults.manageCookies.

It should be noted that not all applications use the shared HTTP stack. Firefox is a notable exception, which unfortunately means that cookie-based single sign-on between Firefox and AIR applications (indeed, most desktop applications) does not work. Also, on Linux, AIR uses its own HTTP stack because there is no default OS stack available.