We are developing a mobile web application on the jQuery Mobile platform that requires a user to provide their username and password.

Rather than asking the user to re-enter their details each time we want to only ask them once for their username and password and then prompt them to enter a pin.

We will encrypt this pin and encrypt a user identifier string and save both either in LocalStorage or Cookie.

When the user visits the application for a second time we will test if a user identifier can be found and if so prompt them to enter a pin.

Once the pin is entered we will securely (SSL) pass the pin and the user identifier to be decrytped and validated on the server.

I've read in a few places that we should use Cookies instead of LocalStorage (from a security point of view). Would you concur with this and can cookies be used across most smart-phones?

We also need to ensure that the user is required to re-enter their pin each time they close the browser or browse to another page or exceed 30 minutes of inactivity.

To manage this I was thinking of storing a value in SessionStorage as I have read that this is more secure than LocalStorage and expires when the browser is closed. Alternatively we could use Cookies again.

Security is a key concern so I'd be intersted to hear any tips and/or alternative approaches you may have.

Many thanks in advance...

If security is your chief concern, I would not recommend using cookies since they are sent with every request to the server, which could potentially be intercepted by anyone sniffing that traffic over the network. Performance-wise, using cookies also increases the amount of data going back and forth between server and client.

For your purposes I would choose sessionStorage if you want your data to be persistent only for the life of the browser session, including as well a timestamp that you can test for session expiration. Data in sessionStorage and localStorage stays only on the client and is never sent to the server.