I would like to have your feedback regarding Authentication mechanism for an Application using PhoneGap and Sencha Touch and a Server in .NET with Active Directory.
So we need to store User credentials on the Mobile Device so a User does not have to re-enter Login and Psw, every time he wish to use the application.
01 – IDEA – Cookies
For my understanding Sencha Touch does not have directly any libraries for managing Cookies.
Ext.util.Cookies class. This library it should not be free.
I’m afraid to still have problem with CROS domains regarding working with cookies and IOS security issue.
Also Phonegap does not provide any cookie abstraction, as there are plenty of other tools to do that already (Phonegap just wraps up smartphone functionality, not basic browser functionality).
I could use potenticalyy jQuery, and maybe try jquery-cookie plugin.
02 – IDEA – HTML5 Local Storage
Sencha Touch offer an API for HTML5 Local Storage, so instead to write a cookie, I could save the credential in the Local Storage.
Local data should be kept by the browser for an undefined ammount if time even if the device is turned off.
When a user click the app, I can take the Local Data and sending to the server, the server will authenticate the user.
Despite of the mechanism I have an issue with security.
– Istore the UserName and Pasword as plain text, in a Cookie or in Local Storage and forward to the server.
no encryption is involved, the authenication should work. Cons: It is very easy to read the Cookies and the Local Storage so it is not the state of art for security.
– I store the UserName as plain text and instead for the Pasword I store a “Forms authentication tickets” in a Cookie or in Local Storage and forward to the server.
Ecryption on the server is involved for the “Forms authentication tickets”. PRO: High security, CONS: Take time to develope it.
NOTE: Security, the Tickets are encrypted using configuration element of the server’s Machine.config file.
- Do you have any experience on of of this scenario?
- Do you have a better approach?
Some days ago I have posted Simple Login project to github, you may found it helpful. It works in Webkit browser & on iPhone. Android was not tested.