tags:

views:

61

answers:

1
+2  Q: 

Is there any way to hide the variables that are being passed to Flash by swfobject when someone views source?

I have some Flash swfs that are embedded using swfobject and I pass them some vars like user id. How do I prevent people from reading these vars? If someone views the source of the php page that embeds the swfs they can see all the variables that are being passed to flash. Is there a way to hide these vars? What other ways are there to do this? I have thought about setting up an ExternalInterface and calling a javascript function to pass the vars to Flash - would this effectively hide the data I am sending?

thanks

+1  A: 

you cannot actually hide the data. you can only make it harder to find. using firebug or similar tools, people will always find out, since they can look at what your JS does, and at the data your app sends. the best you can do is to add some encryption, but using a decompiler, one can easily extract the decryption mechanism from the swf.

if you described the general problem (what kind of data is being sent and why/against what you want it protected), maybe I could provide more specific ideas.

edit: this seems like a serious security flaw to me. a restricted service should only grant access to properly authenticated users. the flash client should never pass its user id. instead, a session (as created by a login) should be associated with a user, thus permitting identification. so your client will never even know of its user ID. it will just send a request and the PHP session will permit to find out this user ID and provide the corresponding data.

greetz
back2dos

back2dos  2010-04-12 10:04:01
thanks, most of the data is to do with the user, it is a user id and a group id to allow Flash to call a page (AMFPHP) that queries the database for images belonging to that user and then loads images from a remote server. I also pass an IP address of the location of these images (this IP address is for amazon web services and may change so I dont want to hard code). I am most worried that someone could manually (somehow) enter a different user id and be able to see other user's material. Can Flash get access to PHP session vars to check if the passed user id = session user id?
undefined  2010-04-13 09:32:19
Hi Back2Dos,Thanks for your responses, one problem I have with using a PHP session to store the user id is that the Flash client sometimes calls 2 servers, so I will need to use something like session clustering (quick google of problem), mCaching etc. Our webserver is located at one host and our other server that will need to know the user id is located on Amazon Web Services. It sounds like perhaps the easiest thing to do is to create a 'session' record in the database when a user logs in and have both servers read the user id from this record. Can you suggest any alternative solutions?
undefined  2010-04-26 12:38:26

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security