Flash, parameters, security

Question

Hi, I have a question:

In Flash, I have the ability to save certain info onto the server. Now the problem is the user needs to be authenticated as admin in order to do so.

I can't use sessions, since if you work longer than 20 minutes in the Flash application, the session is gone.

The way I see it, I have 2 possibilities: 1. passing a parameter (bIsAdmin) to Flash from the Website. 2. Launch a http-get request, to get this value (bIsAdmin) from an ashx handler on application startup, when the session has not yet exired.

In my opinion, both possibilities are not really secure... So, which one is safer, 1 or 2? Or does anybody have a better idea ?

In my opinion, 1 is safer, because with 2, you can just switch a packet tamperer in between, and bang, you're admin, with permission to save (or overwrite, =delete) anything.

Answer 1

Both are insecure. Analyzing the Flash code any user can discover the presence of the blsAdmin parameter and try generate the request to gain admin privileges.

Remember that the Flash applications can be decompiled and analyzed by anyone using tools as Flasm or SWFDump.

My solution? Use sessions to store the admin privileges. If the session is going to expire in 20 minutes generate a request every 10 minutes to a dummy page in the server to keep the session alive but this is also a bad practice. If you are an admin user you don't have to leave your application unattended in any moment without logging out when you finish using it.

Ta Ta,