tags:

views:

644

answers:

3
+1  Q: 

Any idea how to do (1) php authentication (2) launch a flex app which knows the user has already been authenticated

Hi everyone !

Almost everything is in the title :

Here's what I'd like to do :

  1. A nice html page with a php authentication process (http first then http**s** & so on)
  2. Launch a flex app which knows (I don't know how (this is the actual question !)) the user has already been authenticated and display his/her stuff he/she has to do for the day (or whatever...).

Of course if someone try to call directly the flex app I would display an "authentication error" message and then redirect to the authentication page.

I'm sorry for my English which is perfectible.

I was thinking about the session cookie : first authenticate then ass a variable on the server side, something like :

$_SESSION['authenticate']=true

Then, on the flex side, just send the cookie and ask if the user is properly authenticated, something like calling a php web page like :

https://is_authenticated.php?php_session=xxxx

Thank you

Olivier

A: 
Silfverstrom  2009-05-30 15:41:38
Well err.. I had already read those links, thanks you for your reply... maybe this is not exactly what I'm looking for...I'm wondering if using this method : 1. Php authentication 2. Once authenticated launch Flex App 3. Flex App reads the phpsession variable and asks the webserver an html page like "./is_authenticated?php_sessid=XXXX" : if the result is true then everything is okay otherwise this would mean that the user is not authenticatedI'm wondering if this method 1 -> 2 -> 3 is good and if there's another one that may be better ?Thanks again for the answer !
Olivier Pons  2009-05-30 16:12:34
A: 

Hi Olivier,

This is exactly what I would do.. A few things to consider from a security standpoint:

  • If your php service (from flex) gets an unknown session token, always generate a new one. This also applies to your PHP application and is often overlooked.
  • I would generate the swf with javascript, and manually insert the session cookie using javascript. This way people won't download and safe (or cache) your php pages with sessions that are invalid in the future.
  • Even better would be to use a separate token other than the session, and on the server figure out what the session id was based on this flex token.
Evert  2009-05-31 00:56:31
Thanks for your answer ! "If your php service (from flex) gets an unknown session token, always generate a new one." => how about just redirecting to the php login page (which systematically regenerates a new session id) ? I'm just looking for a safer way to do that. I'm just affraid of using the session id to "validate" that the user is connected (because this would mean that anybody who can read the session id can very easily simulate the flex app is connected (call manually the specific web page) and then send whatever he/she wants). The third suggestion would send a cookie too.
Olivier Pons  2009-06-02 09:13:59
Yes, a session cookie can be insecure, but it is the most common way to do things. If you are worried about people intercepting cookies you should really switch to SSL.
Evert  2009-06-02 21:46:04
A: 

What are you using on the server side? Remember that you shouldn't do anything in the flex application other then send the SESSION ID along with any requests. Any time where the client checks security, you have a bug. The server must validate the session and determine if the request is allowed.

It sounded in your last comment that you are worried about people manually calling a web page. Each page must check to see if the user is authenticated. I don't know your specific application, but you may try looking at AMFPHP and see how they do session authentication. Good luck!

ryanday  2009-06-02 18:10:39
Actually I was a hacker (grey/black hat). And it's very easy to grab a session cookie, then, with wget, send a request to the server with the "hacked" cookie session (that looks like a valid cookie from the server point of view). Just imagine a wget + session cookie + an SQL order (or a webservice no matter the way it's done) like a huge "chat message" in a loop. Database full. From the server p.of view there's no way to know whether it's Flex or a hacker. And I really don't like that. So I'm looking for a way to avoid relying *only* on the session cookie. But it seems there's no other way...
Olivier Pons  2009-06-03 13:21:26
Never saw this reply, sorry! Check the session cookie against the requesting IP address. I suppose you *could* spoof a tcp session, but these days SYN numbers(I hope) are random, so thats going to be hard. Or you can sign requests like Amazon S3.
ryanday  2009-07-29 11:38:17

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases