>>>Hi Viv and thanks, as I said to John the more I look at this project the more I think it should be a web app which would remove the need for cross platform I just need to find a way of restricting its use to a selected group maybe using RSA type keys or whatever the cool way is these days, as always I'm open to suggestions.
>>
>>I would have suggested a web app but it's not really possible to get the 'slickness' of a native app and I thought you may have ruled it out for that reason.
>>
>>The best approach to restricting access probably depends on (amongst other things) the number of likely users and how they would be added/removed from the list. One option for a small group is to use Windows authentication on IIS and restrict access to specific domain roles/users.
>>
>>The last time I needed this type of security we required the user to request an account which triggered an email to admins with a link allowing them to approve the request and activate the account Also, by storing a token in html5 local storage, we allowed users to be permanently 'logged in' unless they specifically logged out (or their account was disabled by admin)
>
>Pure Noziness: did you check the security aspects of local storage? Before WebSQL was murdered, that one was the biggest doubt to my highflying plans ;-)
>From the Docs it is supposed to be safe, but how often did they claim to have fixed cross-site/frame scripting ?
>How strong is it encrypted? Is it possible the user maps local storage to mSDHC?

Short answer : I don't know how secure it is. Theoretically it's only accessible from the same URL that wrote it. We're also storing quite a bit of data locally for use in offline situations.

IAC since I permanently store the token unless the user explicitly logs off then anyone who has access to their device can access the site.
It's a risk that they are made aware of but balanced against the inconvenience of having to continually log on when operating a small device - often in inclement conditions.....