Is it possible to make this Flex/Flash application safe?

Question

I'm back with another Flex/Flash security question. I've already received some help from the community on this topic, but I'm still not quite sure this is the best way to do.

Here's the thing. A flex web app, a lot of users (1000+), custom configuration of the application depending of the user group. Can I make this thing safe... or safer.

For the moment, when a user comes to the application, there is only one configuration possible, but for the next version we've implented a multi-configuration protocol, this way :
1. The user connect to Default.aspx, server code process the windows credentials (whe are on intranet) and give the correct xml configuration file.
2. The flex app loads with the xml conf file as a flashvar and then the app 'builds' itself with the content of the xml file.

As we know, since this is a flex application the swf is downloaded on the client computer and the xml file too. If more than one user connects to the app, from the same computer, the can possibly see the other xml file in the windows temp folder.

The current directory of the application looks that way :

Web site
    |-> default.aspx
    |-> index.swf 
    |-> configAdmin.xml 
    |-> configUserType1.xml 
    |-> configUserType2.xml 
    |-> com 
         |-> a lot of swf and xml files

I was first thinking making another directory (without read access for the client) containing all the configurations xml files, picking the right one, copying it to the client and deleting it afterwards. But it seems like I must let know the user know when downloading/deleting content on it's computer...

I'm running out of ideas, so I hope you have some great ones. It's there are some design flaws (in the way the app is build, not in Flash :p) please share. I'm always looking forward to improve.

Thanks

Update : In browser Flash/Flex (without AIR that is) doesn't allow deleting file localy silently (on the client computer, where the application is). It's also not yet possible to get session data.

Answer 1

The easiest and most obvious solution might be to simply use the as3crypto library.

Answer 2

To solve this problem you need to create a new aspx file, lets call it file_loader.aspx. This aspx file will be responsible for access control over any flat file on your server. All files, such as the xml files should be moved outside of the web root. When a user connects and logs in then the web app should know who they are, and what files they have access to. You could create a table in the database for this. This table will have the path to the xml file as well as "owner", or perhaps a list of owners. This table should be checked each time the flash/flex app wants to obtain a new xml file from file_loader.aspx.

Answer 3

I would suggest saving the XML file encrypted with a (symmetric) key that is stored in the session context. This can be an example sequence of events:

• Login: Generate symmeteric key for for the session, keep it in memory associated with the session
• Load configuration XML, encrypt it with session key and save it under a unique name. Store this name in session

When Flex application asks for the config file, do the following:

• Look up file name in session.
• Send the encrypted file to Flex

The Flex application receives encrypted file. It then asks the server for the decryption key (using HttpService or some such AJAX call), It decrypts file using as3crypto and makes use of it.

You should delete the temporary encrypted file from server upon logout.

With this approach, the key is generated on the server side in memory and never written to disk. The key is only valid for that one login session and is useless for future sessions.

Answer 4

Thanks to everyone who participated in that discussion. Here is what I've done.

IIS 6 has some restriction to the cache it allows it client to keep, modifying these settings solve the issue about the xml file.

When a user comes to the website, the server looks for his id in the database, if it's found it gives the corresponding file otherwise the user is being redirected.