More On Sharing HTTP Cookies with AIR Applications

In an earlier post, I mentioned that AIR applications can share cookies with the system browser, and this in turn can be used to share single sign-on (SSO) information stored in these cookies with an AIR application. Unfortunately, this turns out to be even less useable than I realized.

As I mentioned in the original post, there are clear limits to this capability. For example, it won’t work with browsers like Firefox and Chrome, as they don’t share the system cookie database at all.

On Windows, there are two system cookie databases: the default used by applications using WinInet, and a special, second location used by Internet Explorer’s protected mode. By default, most web sites visited will be visited in protected mode. AIR applications, as regular WinInet clients, still use the default cookie database. The end result is that cookies are not shared between the two.

This can be mitigated in some circumstances by changing certain IE security settings. For more details, see this Microsoft knowledge base article. Fundamentally, however, this is not a reliable solution for achieving SSO.

If you’d be interested in a solution that permitted this kind of cookie sharing, for SSO or other purposes, please let me know via the comments or at

4 Responses to More On Sharing HTTP Cookies with AIR Applications

  1. I really hope they implement some way of clearing all browser cache. I’ve been writing air apps on Linux as a desktop replacement for kiosk type systems. AIR provides a great way to create a nice interface and a decent browser with flash support. However, because the systems are available to the general public I need to ensure browser cache is cleared routinely. Disabling cookies severely hampers the application’s ability to browse the web. Though AIR uses the cookies.sqlite database, it simply reads it once and never checks it again. For me to ensure user session are ended I have to kill the entire desktop app, remove the sqlite file (or empty the cookies table) and reboot the air app. Even when closing and nullifying all aspects of the htmlLoader and creating a new instance does not force AIR to re-read the sqlite database.
    There needs to be some sort of way to protect and remove cookies and session data. Without that, all the sand-boxing and security layers in the world are fairly pointless.

  2. Gerry says:

    What I would really like to see is for Flash and AIR apps to be able to locally share cookies.

    Right now each has their own local cookie storage areas unknown to the other.

    And for offline operation remote storage does not help.

  3. harish says:

    Im working on a project where i need to read the session id from the cookie of a http request from the Adobe Air application.
    I have found a property called URLRequest.manageCookies supported by AIR so i Hope there should be a way to read the cookies as well.
    Im Using Flash Builder 4.5

    I want to read http cookies not Local shared Object and not in a web broser in a desktop application.
    Please provide if you have any reference

    • Oliver Goldman says:

      Sounds like you are looking for the URLLoader HTTP_RESPONSE_EVENT, which provides access to the request headers, which in turn contain any cookies set by the server.