Guys.. I appreciate all your help. I could realize how many possibilities there are regarding authentication. My question now is: How can I secure my HTTPService? Is there some HTTPSService? What do I do to work with SSL? Or even.. if I send user name and password through an unprotected HTTPService. What are the chances of my data to be intercepted?
On 05 Apr 2007 13:10:28 -0700, Ray Horn <[EMAIL PROTECTED]> wrote:
Yes, but there is an advantage to working with HTTPService destinations that are Session-Less as well as Connection-less. Reliance upon a server-side Session only works to weaken the usefulness of web based service providers. ----- Original Message ---- From: Samuel R. Neff <[EMAIL PROTECTED]> To: flexcoders@yahoogroups.com Sent: Thursday, April 5, 2007 12:20:37 PM Subject: RE: [flexcoders] Re: User authentication You don't need to bother with HTTPS or encryption if you use a challenge-response methodology. For that simple Hashing will do (AS3 corelib has a SHA256 implementation among others). Servers sends random text challenge to client. Client responds back with hashed combo of random text and the password, along with username. Server confirms both know the same thing by comparing hashes without ever sending the password over the wire. Pretty simple to implement. Also depending on the application server you may not need to bother with generating a session token and storing/passing it. For example with ASP.NET <http://asp.net/> all HTTPService and RemoteObject calls are within the context of a user session so on the server side we can use the built-in Session support with no custom coding. Sam ------------ --------- --------- --------- ---- We're Hiring! Seeking a passionate developer to join our team building Flex based products. Position is in the Washington D.C. metro area. If interested contact [EMAIL PROTECTED] l.com <careers%40blinemedical.com>
-- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
