We are developing a mobile web application based on the jQuery Mobile platform, which requires the user to provide his username and password.
Instead of asking the user to re-enter their details each time we only want to ask them once for the username and password, then ask them to enter the PIN code.
We will encrypt this output and encrypt the user ID string and store it both in LocalStorage and in Cookie.
When the user visits the application for the second time, we will check whether it is possible to find the user ID, and if so, offer to enter the PIN code.
After entering the PIN code, we securely (SSL) transmit the PIN code and user ID, which will be decrytped and verified on the server.
I read in several places that we should use Cookies instead of LocalStorage (from a security point of view). Do you agree with this, and cookies can be used on most smartphones?
We also need to make sure that the user must re-enter their output each time they close the browser or go to another page or exceed 30 minutes of inactivity.
To handle this, I was thinking of storing the value in SessionStorage, as I read that it is more secure than LocalStorage, and expires when the browser is closed. Alternatively, we could use cookies again.
Security is a key issue, so I will be interested to hear any advice and / or alternative approaches that you may have.
Thank you very much in advance...
user445069
source share