Cookie between reloads

Question

I have authorization in my app that happens through POST-request to the server. In response I receive json file and cookie.

I want prevent user to enter credentials every time. So the question is how to store cookies (session only cookie) between app launches. I concern here 3 cases:

1. User pressed "Home" and returned to the app before app was terminated by iOS
2. User pressed "Home" and returned to the app after app was terminated by iOS
3. User forced quit from app by swiping-out it from multitasking

It seems that i can use something like this: NSHTTPCookieStorage.sharedHTTPCookieStorage().cookiesForURL(NSURL(string: "url")!)

But is it secure and will it persist in case 2 and case 3?

Answer 1

I've been working on similar iOS issues for the past few weeks.

Depending upon just how secure the credentials need to be, I'd suggest looking into using the browser's localStorage functionality to resolve this, rather than using cookies.

localStorage and sessionStorage are far easier to manipulate than cookies, and cross domain protections help avoid both user manipulation and 3rd party attempts.

If one was dealing with almost any other browser, one would generally use sessionStorage, since the values are preserved per log on session. But, iOS on mobile devices wil purge session storage far too frequently, rendering it useless.

The danger of using localStorage is that values persist between browser sessions. Where this becomes an issue is if a legit user logs in from a 3rd party device, the credentials are retained on that device unless the user has a way purging them (which is easy to accomplish using javascript).

The advantages of using sessionStorage and localStorage are:
1. ease of manipulation compared to cookies
2. no need to keep posting back cookies values to the server
3. less server overhead

note that on iOS in particular, if Private Browsing is enabled, both session and local storage are disabled.