I'm starting to build a couple of Flex/CF applications, and I'd like some advice on architecture.
I understand that a Flex application keeps its own state, and as much as possible, it's advisable to maintain state there. But of course, the application is generally accessing back-end data through stateless HTTP requests of one kind or another. My question revolves around the use of data that would often be placed in a session-scoped object in CF. I realize this is an "it depends" question. But I'm guessing that I'm not the only CF developer wrestling with this, so perhaps a discussion would be useful to others, too. Let's assume that we're talking about private applications that are only accessed after a successful login. In a CF-driven HTML application, there is often much information kept somewhere in the session scope regarding the current sessionUser -- perhaps information on permissions, relationships to Companies/Entities, Roles, and so on. These things may be used to check whether the action the user requests is to be allowed, and to filter data. All easily accessed from the session scope, or a facade of it, in CF. Now -- all of these same bits of information naturally relate to using the same application model, but accessed through a Flex front-end. According to Ben Forta, if CF is accessed through Flash Remoting, session identifier cookies are passed back and forth correctly (assuming of course that the Flex/Flash app is embedded in a .cfm page). We all know that we always want to check a user's authentication, permissions, filters, etc. on the server side, since we can't trust the request coming from the client. So it seems to me that I should create session-scoped data following a successful login; use the session cookies to identify the request from Flex, just as in an HTML app, and do server-side checking from there; and pass to Flex whatever objects are necessary to maintain proper state on the client side. A simple example would be: a User logs in, and we retrieve the User's role and her/his relationship to a Company. This information is stored in the CF session scope. As part of a "loginSuccess" routine, the User's role is returned to the Flex app. There, the role is used to determine what views are available to the User. The User's data requests from Flex need to be filtered by the Company relationship, but there's no need for Flex to know that (necessarily). Flex makes a request for certain data through Flash Remoting, we use the CF session identifier to retrieve the User's Company relationship, then use that to filter the data before returning it to Flex -- after we check on the Role permissions, of course. So after all that -- does this seem like the "right" way to handle such things? And aside from architectural/philosophical considerations, is there any technical reason why this won't work? I'm obviously new to Flex, and I'm just trying to generate a little validation/repudiation/advice/discussion. Thanks for any of the above. -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:296378 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
