Use Silverlight Isolated Storage To Keep Authentication Token?

Question

Hi,

I would like to hear some opinions about using the isolated storage in Silverlight for storing sensitive data. For example, is it OK to store an authentication token (some GUID that identifies a server-side session) in this storage, or is it better to use cookies?

The isolated storage gives an advantage over cookies in that it is shared across browsers, but it might be more difficult to handle expiry, and there might be some other issues (security?) that I am not aware of.

So... what are your opinions? Or do you know any great articles about the topic?

Thanks, Jacob

Answer 1

I've just started on a Silverlight project that uses Isolated Storage to store a login token that formerly was stored in a cookie when the app was written in ASP.NET.

The only thing I noticed with the end result was that each type of browser would remember the same user (as opposed to the cookie solution where every browser had it's own cookie store and it's own idea of who was logged in).

Security is not going to be substantially different - if you feel inclined to - encrypt the token. Though really why would you bother? If any process has access to a person's private AppData they're going to have access to all sorts of confidential information.

The app's url determines access, so no one can get at the data unless your domain name expires.

Answer 2

Other than the advantage of sharing the token across multiple browser instances, which I personally haven't ever seen the need for, I think I'll stick to using cookies for now. Why? Because they are better supported by intermediaries like proxy servers and HTTP accelerators. In general I adopt a "use the standard" rather than a "roll your own" approach - it results in less code to maintain and more familiar code for new developers.