I am developing an ASP.NET mobile website using .NET 3.5 and mobile controls that come with the framework. I have a login form where the system will authenticate the user so he/she can access certain restricted pages.

In a standard ASP.NET website, I can use a session to store some flag after a user had logined, but I wonder can I do the same for the mobile version? Is session variable (or cookies) being support by those mobile device's browser? Is there any standard pratice also on doing authentication for mobile pages?

+1  A: 

Session variables are stored in the server so you can forget the device browser capabilities.

I've not practice developing for mobile device, but 4 years ago I was using a service that used cookie authentication and the phone was not top-notch so... I think you can take for granted the cookie availability. Full futured browsers for mobile are taking on so... invest in the future, don't spend energy with old techologies soon to be deprecated...

In my opinion, prefer cookie authentication, it's more standard, and you can save the cookie on the phone preventing further authentications....

Davide Vosti

Hi Davide, Thanks for the suggestion.


You can indeed support cookie authentication but the only guaranteed way for it to work is to attach the cookie ID as part of the URL i.e. cookieless sessions. Yes, this is bad practice as it's ugly and very insecure and all modern phones support cookies.

But some devices have cookie limitations and, what's more, some networks strip all cookie information from the HTTP headers that pass through their gateways even though the phone has no problems (NTT DoCoMo do this in Japan). It may not apply in your situation but it's something to keep in mind.

Lucky for you ASP.NET does support cookieless sessions easily. In the app.config file:

<sessionState cookieless="true" />

does the trick.

Shane Breatnach