Q: We’ve been testing Microsoft
Outlook Mobile Access (OMA) and
have found that our users’ passwords
are being cached. How do we
control this behavior?
A: Well, that depends on your users’
phones. Here’s the situation: OMA
uses Basic Web authentication over
Secure Sockets Layer (SSL) to send
an authentication request to users’
mobile devices, which then can either
prompt the users for credentials or
return a cached set of credentials. To
prevent the annoyance of needing to
continually retype your password on a
10-key numeric pad, most cell-phone
manufacturers include some kind of
caching mechanism in their phones.
OMA isn’t the one caching authentication
information, so you can do
nothing on the server side to prevent
the behavior you describe. Whether
you can clear the cache and stop the
behavior depends on the phone. Some
newer phones (e.g., Sony Ericsson’s
T610) include a separate password
cache that has a shorter lifetime than
the phone’s typical cache. Contact the
manufacturers of your users’ phones
to determine whether you can control
those phones’ caching behavior.