AIR Tip: Cookie Sharing between AIR and Web Browsers

This is something I came across at work that I thought I would share, because at first, it had me scratching my head.

Internally, Adobe AIR uses webkit as a "browser" which is great, and as expected, it actually behaves like a browser, including cookie support for access to external resources. Which means that when you are making remote calls to resources, you can use cookies to maintain sessions, or for information tracking.

One question I did not ask when I first realized that there was cookie support in AIR, was 'Where are the cookies stored?'. Well, it turns out that AIR uses the operating system's network stack for cookie support. Which means that AIR shares its cookies with any other browsers that use the network stack, which includes Internet Explorer on Windows Safari on OSX. Firefox manages its own cookies so it is unaffected by any of this.

I realized this when I was testing an AIR application that communicated with a ColdBox application. If I logged into the AIR application, which automatically logged into the ColdBox application, then when I would browse to the ColdBox application in Internet Explorer, I would already be logged in.

I kind of wish that, like Firefox, AIR would manage its own cookies. It seems wrong that it should work this way. Maybe I am off-base, but I don't like it. I don't know if it is too late for this to ever change, but if it can...

Ben Nadel's Gravatar Very interesting. I would not have expected that.
# Posted By Ben Nadel | 9/23/09 11:44 AM
Trausti Dagsson's Gravatar Hi, interesting post. I have one question, have you found a way to delete those AIR cookies?
# Posted By Trausti Dagsson | 1/7/10 12:43 PM
Jason Dean's Gravatar @trausti

No, I have not. I have not really tried to find away. In my situation is does not really affect my application. But I would be curious to know if there is a way to do it. Maybe I will look into that one of these days.
# Posted By Jason Dean | 1/7/10 1:09 PM
Sebastian's Gravatar I can confirm what you said and it took me hours to finally find the "bug". I just could not make any Ajax-Call to a remote PHP script and attach a different Session-ID. Because Air always used a session-cookie from my Webkit browser.

But that behaviour is super great for login-mechanisms! You just need to redirect the user in Air to your remote login script (maybe even via browser) and evoila: the user is logged-in in Air and Safari/Webkit.
# Posted By Sebastian | 2/5/10 5:19 PM
Sebastian's Gravatar Sorry, I forgot to mention the following solution:

You just assign a different Session Name in PHP if the call comes from Air. For me it runs perfect! Here is the code snippet which should come before session_start():

else ini_set("","PHPSESSID");
# Posted By Sebastian | 2/5/10 5:47 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner