Persistent and Session Cookies in Windows and Adobe AIR

In this article I am going to save you the trouble of researching how Windows XP, Vista, and 7 handle cookies in Internet Explorer and how those rules are delegated to Adobe AIR. You need to know some of the fundamentals before we can jump in. I had to learn all of this to be able to create a kiosk framework with a colleague that safely allows visitors to post to social media sites such as Twitter and Facebook from public kiosks. In my experience, social media sites cannot be trusted to provide proper logout methods for their API's, so our framework took a nuke all cookies and trust no one approach, which lead to several difficulties.

Adobe AIR on Windows Shares Internet Explorer Settings

As far as network timeouts, proxy settings, and cookies go; Adobe AIR shares those settings with IE on Windows. So set a proxy in IE, and AIR will obey the proxy. Set a network timeout in the registry for IE, and AIR will obey that too. The critical item here is that AIR shares Internet Explorers cookies and cookie behavior.

What are Persistent and Session Cookies?

A persistent cookie is a cookie that exists on a computer after a user has visited a site in a web browser. It is written as a small text file onto the computers hard drive. These small files are often used to keep visitors logged into a website after they have left the site and not explicitly logged out. The contents of the cookie differ greatly, and are usually just a bunch of random gibberish that servers use to uniquely identify a visitor or restore state.

A session cookie is a cookie that is only valid until the user leaves the website or closes the web browser. In the case of Internet Explorer, session cookies are held in memory until Internet Explorer is closed, or conversely the Adobe AIR application is closed.

Persistent Cookie Storage Location

In Windows Vista and 7, cookies for IE and AIR are stored at:
C:\Users\logged in user name\AppData\Roaming\Microsoft\Windows\Cookies
and
C:\Users\logged in user name\AppData\Roaming\Microsoft\Windows\Cookies\Low

The Challenge With Session Cookies, Windows, and Untrustworthy Social Networking Sites

Because session cookies are stored in memory, even when programming in native Windows applications; session cookies are in protected memory for the application that created them. In an Adobe AIR application this means the ONLY WAY to destroy a session cookie for good is to kill the application. As all of the official IE documentation states; session cookies are only destroyed when Internet Explorer is closed. This behavior is part of AIR on Windows as well.

What about persistent cookies?

On a public kiosk persistent cookies have no business existing in the first place. It is important that for untrustworthy social media sites (all of them). That persistent cookies be purged. Windows, for obvious reasons usually doesn't allow a persistent cookie to be deleted if it is in active use by the application. The solution is to delete all persistent cookies after the offending native exe or air application is closed.

For kiosk applications made in Adobe AIR or native Windows applications this means that programmers need to plan on killing the process for whatever part of the application interacted with the social media site. Maybe other kiosk vendors were so far on top of this in 2011 when I tackled it that it wasn't funny; but honestly I doubt it.