Security for Flex app when ssl is not available

Question

So I know the best practice would be to run my Flex app over ssl along with implementing other forms of security however that isn't an option at this point (for monetary reasons and the app simply doesn't need that much security otherwise my sponsors would pay for it). However, I would like to implement some form of security and I'm wondering whether it's even worth it when I don't have ssl to protect the transactions.

So my setup is that I have a ASP.Net server side with a Flex UI. Right now the UI is the only thing that protects access to the sever: the server doesn't do any sort of verification during each request, it just assumes the person is allowed to do it. Obviously, anybody could write a program to generate posts (even if I could use SSL it would be like swiss cheese). Like I said before, security isn't a big deal, this is an internal app and it's nothing critical, however I do believe in doing things right. Would keeping the user info in session be a viable option and then verifying that the given user has permission, etc. Perhaps some sort of token system?

What would your preferred method of protecting this setup be?

...and no, I won't give you the url :)

Answer 1

Unfortunately, I know diddly squat about flex, but I think I can help anyway. I think you have two reasonably good options.

First though, we need to clarify something... Are you saying the server doesn't do any authorization? Does it at least have the ability to authenticate a user? Do you have any control over the server code? If not, I don't think the following suggestions will help. I'm not sure how you're supposed to secure a server with just client side code. Maybe there is a way, but I can't think of it.

1) Use HTTP digest authentication. This requires that the server is configured to understand it and that there is support in the flex api for adding the appropriate auth header to the HTTP request. The server authenticates the user by his password and can check what operations can be performed by said user against some authorization mechanism.

2) Follow the guidelines in this article to implement the authentication scheme that many atom publishing endpoints use. The flex api will have to provide some support for this, maybe there is an existing third party lib though. If you can get access to the HTTP headers you should be able to implement the rest.

Good luck.

Answer 2

How are you commuicating with the server SOAP. REST etc?

If it is SOAP have a look at the answer to this question

http://stackoverflow.com/questions/1181155/general-password-security-implementation-in-actionscript-3/1181744#1181744

and here's a link how to add the header to the SOAP message

http://stackoverflow.com/questions/1247273/how-to-add-a-flat-message-header-to-a-flex-web-service-call/1249592#1249592

Hope this helps

Jon

Answer 3

ASP.NET Session itself is token based security and yes you can easily implement that by doing

[WebMethod(true)]

and yes, any web method requires login to be done first, it should call User.IsAuthenticated, that verifies the session token.

You can easily implement form authentication (let web.config empty, you can use FormsAuthentication in code).

for example,

[WebMethod(true)]
public string DoLogin(
    string username,
    string password)
{

    //.. do your verification
    FormsAuthentication.SetAuthCookie(username,false);
    return "Login Sucessful";
}

[WebMethod(true)]
public string ChangePassword(
    string oldPass,
    string newPass)
{
     // verify user is logged on or not..
     if(!User.IsAuthenticated)
          return "Please Login";
     // The code below is secure, only 
     // authenticated user will go through below
     // change pass...


     return "Password Changed Successfully.";
}

We developed many Flex+ASP.NET sites, we did exactly same thing, but instead of return "string" we usually return a class like following...

public class WSResult<T>{
     public bool Successful;
     public string Message;
     public T Result;
     public T[] Results;
}

The convention is simple, if method was successful then you return Success = true, and depending upon whether you want to return an array of items or just single item, you can return either Results or Result. In case if there has been any error or unathorized access you can set Successful=false and set Message as detailed string. As per following example.

[WebMethod(true)]
public WSResult<BusinessUser> DoLogin(
    string username,
    string password)
{
    try{
       BusinessUser user = BusinessUser.GetByUsername(username);
       if(user==null)
            throw new Exception("User not found");
       if(user.Password != password)
            throw new Exception("Password did not match");
       return new WSResult<BusinessUser>{ Result=user };
    }catch(Exception ex)
    {
        // this will even catch any DAL exceptions or any system error as well
        // Log Exception... somewhere for tracking...
        return new WSResult<BusinessUser>{ Successful=false, Message = ex.Message };
    }
}