RE: [flexcoders] Newbie SOA question (maintaining login state)

[Michael Pengi]

I'd be interested in hearing more about this. Isn't there a 'normal' way to
do this with flex? Maintaining login state would seem to be a basic
requirement for web apps. Just curious.


Tracy Spratt wrote:
 
 I have a lot to learn about security, and had difficulty wading through
 all
 of the levels and options, so I devised my own programmatic solution.
 
 When a user logs in from the Flex app (md5 hash on the password), I create
 a
 sessionId, store it in a hashtable in the .net app, and pass it back to
 the
 Flex app.  The Flex app sends this token with each call.  The server
 checks
 the passed in session id and compares the timestamp to the current time. 
 If
 it is within the timeout period specified, it updates the timestamp and
 authorizes the call.  If authorization fails, the user must log in again.
 
 I am certainly open to a better approach.
 
 Tracy Spratt,
 
 Lariat Services, development services available
   _  
 
 From: flexcoders@yahoogroups.com [mailto:flexcod...@yahoogroups.com] On
 Behalf Of variableop
 Sent: Friday, April 03, 2009 4:07 PM
 To: flexcoders@yahoogroups.com
 Subject: [flexcoders] Newbie SOA question
 
  
 
 I would like to provide a solution to maintaining login state over
 multiple
 calls to my .NET web service layer. So basically, the user logs in, then
 stores a login token internally on the Flex side so that each web
 service
 call can be authenticated as being made by someone who has already logged
 in to the system. Does anyone have any ideas on how to approach this? My
 initial approach was to cache the user's username/password and
 authenticate
 on each web service call (Direct Authentication). I was told, for obvious
 reasons, that this is insecure method and requires database hit each call.
 I
 am trying to implement WSE 3.0 enabled web services on the .NET side. Is
 this an SSO problem, or should I be using STS/Brokered Authentication
 approach? We just started our upgrade to VS2008, so maybe I should just
 pursue WCF methods instead? Any experiences with this would be greatly
 appreciated.
 
 TIA,
 
 variable
 
 
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Newbie-SOA-question-tp22875841p22962243.html
Sent from the FlexCoders mailing list archive at Nabble.com.

RE: [flexcoders] Newbie SOA question (maintaining login state)

[Tracy Spratt]

No more normal way with Flex than with html. Worse, really.  There are
just too many communication options, too many web server options and too
many degrees of secure.  Then the Flash Player weighs in with its own
restrictions on things like WebService headers and it just gets worse.

 

Tracy Spratt,

Lariat Services, development services available

  _  

From: flexcoders@yahoogroups.com [mailto:flexcod...@yahoogroups.com] On
Behalf Of Michael Pengi
Sent: Wednesday, April 08, 2009 8:09 PM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Newbie SOA question (maintaining login state)

 







I'd be interested in hearing more about this. Isn't there a 'normal' way to
do this with flex? Maintaining login state would seem to be a basic
requirement for web apps. Just curious.

Tracy Spratt wrote:
 
 I have a lot to learn about security, and had difficulty wading through
 all
 of the levels and options, so I devised my own programmatic solution.
 
 When a user logs in from the Flex app (md5 hash on the password), I create
 a
 sessionId, store it in a hashtable in the .net app, and pass it back to
 the
 Flex app. The Flex app sends this token with each call. The server
 checks
 the passed in session id and compares the timestamp to the current time. 
 If
 it is within the timeout period specified, it updates the timestamp and
 authorizes the call. If authorization fails, the user must log in again.
 
 I am certainly open to a better approach.
 
 Tracy Spratt,
 
 Lariat Services, development services available
 _ 
 
 From: flexcod...@yahoogro mailto:flexcoders%40yahoogroups.com ups.com
[mailto:flexcod...@yahoogro mailto:flexcoders%40yahoogroups.com ups.com]
On
 Behalf Of variableop
 Sent: Friday, April 03, 2009 4:07 PM
 To: flexcod...@yahoogro mailto:flexcoders%40yahoogroups.com ups.com
 Subject: [flexcoders] Newbie SOA question
 
 
 
 I would like to provide a solution to maintaining login state over
 multiple
 calls to my .NET web service layer. So basically, the user logs in, then
 stores a login token internally on the Flex side so that each web
 service
 call can be authenticated as being made by someone who has already logged
 in to the system. Does anyone have any ideas on how to approach this? My
 initial approach was to cache the user's username/password and
 authenticate
 on each web service call (Direct Authentication). I was told, for obvious
 reasons, that this is insecure method and requires database hit each call.
 I
 am trying to implement WSE 3.0 enabled web services on the .NET side. Is
 this an SSO problem, or should I be using STS/Brokered Authentication
 approach? We just started our upgrade to VS2008, so maybe I should just
 pursue WCF methods instead? Any experiences with this would be greatly
 appreciated.
 
 TIA,
 
 variable
 
 
 
 
 

-- 
View this message in context: http://www.nabble.
http://www.nabble.com/Newbie-SOA-question-tp22875841p22962243.html
com/Newbie-SOA-question-tp22875841p22962243.html
Sent from the FlexCoders mailing list archive at Nabble.com.