More On Sharing HTTP Cookies with AIR Applications

In an earlier post, I mentioned that AIR applications can share cookies with the system browser, and this in turn can be used to share single sign-on (SSO) information stored in these cookies with an AIR application. Unfortunately, this turns out to be even less useable than I realized.

As I mentioned in the original post, there are clear limits to this capability. For example, it won’t work with browsers like Firefox and Chrome, as they don’t share the system cookie database at all.

On Windows, there are two system cookie databases: the default used by applications using WinInet, and a special, second location used by Internet Explorer’s protected mode. By default, most web sites visited will be visited in protected mode. AIR applications, as regular WinInet clients, still use the default cookie database. The end result is that cookies are not shared between the two.

This can be mitigated in some circumstances by changing certain IE security settings. For more details, see this Microsoft knowledge base article. Fundamentally, however, this is not a reliable solution for achieving SSO.

If you’d be interested in a solution that permitted this kind of cookie sharing, for SSO or other purposes, please let me know via the comments or at ideas.adobe.com/air.