What I do is this: authenticate the user's ID and password. If the credentials check out, I generate a UUID token which I then send back to the client. The database table logs the token, the user ID it belongs to, and a timestamp representing the last time the token was used.
On subsequent calls to the server, the token is passed along as a parameter. Before filling a request, the server side components all pass the token they receive to a security component which validates the token against the database table, checks the timestamp is within a given timeout window, and updates the last-used timestamp if everything checks out. Everything goes over SSL. --- In flexcoders@yahoogroups.com, "ripe101" <[EMAIL PROTECTED]> wrote: > > Nick, > > Thanks for the reply... > One question, if you are using SSL, why are you also encrypting the data through the > application? > > I also saw mention in several presentations that Flex apps are being used by financial > institutions, so this must have been tackled already in an "enterprise" security setting. Is it > a full custom activity to implement strong security for flex applications? > > Thanks > JK > > > > > --- In flexcoders@yahoogroups.com, "Nick Collins" <ndcollins@> wrote: > > > > The way I have been doing it, while admittedly probably not best, is this: > > > > I have all my roles and user information in my database. When the user types > > in their username and password, it is encrypted, sent to the CFC which > > decrypts it, and runs a query against the database. If the authentication is > > successful, it ecrypts and returns the users data (name, role, etc.) to the > > flex frontend, which then decrypts it and displays the information they have > > access to. The roles table of my database has flags for different sections > > of the app, and it has to return a positive value to open up access to view, > > or to edit, that section. The encryption key for the AES encryption is > > stored in an external XML file and is read in when the app loads. > > Additionally, I send the data via SSL. > > > > Is it hacker-proof, probably not, but what is? It at least makes it enough > > of a pain that I haven't had any problems. > > > > On 4/2/07, ripe101 <ripe909@> wrote: > > > > > > OK, I have only found several posts asking, and many answers that don't > > > seem to really > > > address the issue. > > > > > > How is user authentication and session management handled best in Flex? > > > Taking into > > > consideration the following: > > > > > > * All business logic is server side and available only to an authenticated > > > user (and only the > > > components they have access to). > > > * Cannot reverse engineer the flash file to gain access to the server > > > side. > > > * Each server side call must be authenticated. > > > * Preferably the main application is not downloaded until the user is > > > authenticated. > > > > > > I saw suggestions on authenticating the user and then storing the roles on > > > the client, this > > > seems very insecure, as the user could potentially write their own app and > > > stick roles in > > > that client side variable. > > > > > > I got the few books on Flex that are out there, but none of them really > > > cover this critical > > > issue. Maybe I'm missing something basic? > > > > > > Thanks > > > JK > > > > > > > > > > > >