|
Home > Archive > Macromedia Flash Server > January 2006 > Securing a FCS app
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Securing a FCS app
|
|
| Stefan Richter 2006-01-24, 7:46 am |
| This must be a problem that many of us here face.
My users need to log into a website which uses PHP. They are authenticated
via PHP/Mysql. Now I have a swf (chat app) and I want to avoid my users
having to log on again to use the chat.
Is there a way to put the swf/user into the current session scope? Usually
one could pass some data to the swf via Flashvars but that seems pretty easy
to hack.
Or do I need to deploy a full blown ticketing system? And if so, how can I
avoid users having to log in twice, once via php and once via swf?
Or would this work:
1) Pass in userid and sessionid on load of chat page
2) Flash send sessionid and userid to php script
3) php script checks sessionid against userid
4) If session id and userid match, return username, gender etc etc
But after logging in via PHP, will the page that I call from within Flash
actually be in the session scope? We'll test it but I'd still be keen how
others secure their Flashcom apps.
Stefan
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
| |
| Naicu Octavian 2006-01-24, 7:46 am |
| Actually it is much more simpler. All the calls from the client to the se=
rver will be in the same sessionid (until the browser is restarted), an t=
hat includes the browser requesting pages, the swf calling for php script=
s with LoadVars.
So basically here's what you need to do:
1) When the swf is loaded it calls for a small script on the server s=
ide
2) If someone is logged in (based on some session variables) it retur=
ns the username and other details.
Hope this helps.
Stefan Richter <stefan-fMeCE+ULXElEfu+5ix1nRw@public.gmane.org> wrote: This must be a problem th=
at many of us here face.=20
My users need to log into a website which uses PHP. They are authenticate=
d
via PHP/Mysql. Now I have a swf (chat app) and I want to avoid my users
having to log on again to use the chat.=20
Is there a way to put the swf/user into the current session scope? Usuall=
y
one could pass some data to the swf via Flashvars but that seems pretty e=
asy
to hack.
Or do I need to deploy a full blown ticketing system? And if so, how can =
I
avoid users having to log in twice, once via php and once via swf?
Or would this work:
1) Pass in userid and sessionid on load of chat page=20
2) Flash send sessionid and userid to php script=20
3) php script checks sessionid against userid=20
4) If session id and userid match, return username, gender etc etc
But after logging in via PHP, will the page that I call from within Flash
actually be in the session scope? We'll test it but I'd still be keen how
others secure their Flashcom apps.
Stefan
=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
=09
---------------------------------
Yahoo! Photos =96 Showcase holiday pictures in hardcover
Photo Books. You design it and we=92ll bind it!
=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
| |
| Stefan Richter 2006-01-24, 7:46 am |
| Great, so sessionvars are the way to go it seems.
Stefan
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of
> Naicu Octavian
> Sent: 24 January 2006 12:07
> To: FlashComm Mailing List
> Subject: Re: [FlashComm] Securing a FCS app
>
> Actually it is much more simpler. All the calls from the
> client to the server will be in the same sessionid (until the
> browser is restarted), an that includes the browser
> requesting pages, the swf calling for php scripts with LoadVars.
>
> So basically here's what you need to do:
> 1) When the swf is loaded it calls for a small script on
> the server side
> 2) If someone is logged in (based on some session
> variables) it returns the username and other details.
>
> Hope this helps.
>
> Stefan Richter <stefan-fMeCE+ULXElEfu+5ix1nRw@public.gmane.org> wrote: This must be
> a problem that many of us here face.
> My users need to log into a website which uses PHP. They are
> authenticated via PHP/Mysql. Now I have a swf (chat app) and
> I want to avoid my users having to log on again to use the chat.
> Is there a way to put the swf/user into the current session
> scope? Usually one could pass some data to the swf via
> Flashvars but that seems pretty easy to hack.
>
> Or do I need to deploy a full blown ticketing system? And if
> so, how can I avoid users having to log in twice, once via
> php and once via swf?
>
> Or would this work:
> 1) Pass in userid and sessionid on load of chat page
> 2) Flash send sessionid and userid to php script
> 3) php script checks sessionid against userid
> 4) If session id and userid match, return username, gender etc etc
>
> But after logging in via PHP, will the page that I call from
> within Flash actually be in the session scope? We'll test it
> but I'd still be keen how others secure their Flashcom apps.
>
> Stefan
>
>
> =-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
>
>
>
> ---------------------------------
> Yahoo! Photos - Showcase holiday pictures in hardcover Photo
> Books. You design it and we'll bind it!
>
> =-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
| |
| Ritesh Jariwala 2006-01-24, 7:46 am |
| Yeah...use $HTTP_SESSION_VARS to treat session variables.
With Regards,
Ritesh Jariwala (Actkid)
Freelance Developer
www.actkid.com
Company: www.synonymic.com
-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Stefan Richter
Sent: Tuesday, January 24, 2006 5:45 PM
To: 'FlashComm Mailing List'
Subject: RE: [FlashComm] Securing a FCS app
Great, so sessionvars are the way to go it seems.
Stefan
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of
> Naicu Octavian
> Sent: 24 January 2006 12:07
> To: FlashComm Mailing List
> Subject: Re: [FlashComm] Securing a FCS app
>
> Actually it is much more simpler. All the calls from the
> client to the server will be in the same sessionid (until the
> browser is restarted), an that includes the browser
> requesting pages, the swf calling for php scripts with LoadVars.
>
> So basically here's what you need to do:
> 1) When the swf is loaded it calls for a small script on
> the server side
> 2) If someone is logged in (based on some session
> variables) it returns the username and other details.
>
> Hope this helps.
>
> Stefan Richter <stefan-fMeCE+ULXElEfu+5ix1nRw@public.gmane.org> wrote: This must be
> a problem that many of us here face.
> My users need to log into a website which uses PHP. They are
> authenticated via PHP/Mysql. Now I have a swf (chat app) and
> I want to avoid my users having to log on again to use the chat.
> Is there a way to put the swf/user into the current session
> scope? Usually one could pass some data to the swf via
> Flashvars but that seems pretty easy to hack.
>
> Or do I need to deploy a full blown ticketing system? And if
> so, how can I avoid users having to log in twice, once via
> php and once via swf?
>
> Or would this work:
> 1) Pass in userid and sessionid on load of chat page
> 2) Flash send sessionid and userid to php script
> 3) php script checks sessionid against userid
> 4) If session id and userid match, return username, gender etc etc
>
> But after logging in via PHP, will the page that I call from
> within Flash actually be in the session scope? We'll test it
> but I'd still be keen how others secure their Flashcom apps.
>
> Stefan
>
>
> =-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
>
>
>
> ---------------------------------
> Yahoo! Photos - Showcase holiday pictures in hardcover Photo
> Books. You design it and we'll bind it!
>
> =-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
| |
| Beto A 2006-01-24, 5:47 pm |
| Do realize that if you want to limit the # of users(that already have log=
ged in) using FMS ticketing is the best way to go.
Ritesh Jariwala <me-yepUNE9fm2vQT0dZR+AlfA@public.gmane.org> wrote: Yeah...use $HTTP_SESSION_VARS to =
treat session variables.
With Regards,
Ritesh Jariwala (Actkid)
Freelance Developer=20
www.actkid.com
Company: www.synonymic.com
-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Stefan Rich=
ter
Sent: Tuesday, January 24, 2006 5:45 PM
To: 'FlashComm Mailing List'
Subject: RE: [FlashComm] Securing a FCS app
Great, so sessionvars are the way to go it seems.=20
Stefan
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org=20
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of=20
> Naicu Octavian
> Sent: 24 January 2006 12:07
> To: FlashComm Mailing List
> Subject: Re: [FlashComm] Securing a FCS app
>=20
> Actually it is much more simpler. All the calls from the=20
> client to the server will be in the same sessionid (until the=20
> browser is restarted), an that includes the browser=20
> requesting pages, the swf calling for php scripts with LoadVars.
>=20
> So basically here's what you need to do:
> 1) When the swf is loaded it calls for a small script on=20
> the server side
> 2) If someone is logged in (based on some session=20
> variables) it returns the username and other details.
>=20
> Hope this helps.
>=20
> Stefan Richter wrote: This must be=20
> a problem that many of us here face.=20
> My users need to log into a website which uses PHP. They are=20
> authenticated via PHP/Mysql. Now I have a swf (chat app) and=20
> I want to avoid my users having to log on again to use the chat.=20
> Is there a way to put the swf/user into the current session=20
> scope? Usually one could pass some data to the swf via=20
> Flashvars but that seems pretty easy to hack.
>=20
> Or do I need to deploy a full blown ticketing system? And if=20
> so, how can I avoid users having to log in twice, once via=20
> php and once via swf?
>=20
> Or would this work:
> 1) Pass in userid and sessionid on load of chat page
> 2) Flash send sessionid and userid to php script
> 3) php script checks sessionid against userid
> 4) If session id and userid match, return username, gender etc etc
>=20
> But after logging in via PHP, will the page that I call from=20
> within Flash actually be in the session scope? We'll test it=20
> but I'd still be keen how others secure their Flashcom apps.
>=20
> Stefan
>=20
>=20
> =3D-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =3D-----------------------------------------------------------
>=20
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20
>=20
>=20
>=20
> ---------------------------------
> Yahoo! Photos - Showcase holiday pictures in hardcover Photo=20
> Books. You design it and we'll bind it!
>=20
> =3D-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =3D-----------------------------------------------------------
>=20
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20
=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
=09
---------------------------------
Yahoo! Photos =96 Showcase holiday pictures in hardcover
Photo Books. You design it and we=92ll bind it!
=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
| |
| Jim Duber 2006-01-24, 5:47 pm |
| Hi Stefan,
You might want to have a look at chapter 18 in programming Flash
Communication Server book (by Brian, Peldi, et al). It has a great
section on "Single Sign-On" (p. 755). The examples use Cold Fusion in
place of PHP. The explanations are top-notch, of course (thanks,
Brian!), which made it pretty easy for me to convert the CFCs into PHP
files and then create a ticketing system to suit my needs.
Best wishes,
Jim
On Jan 24, 2006, at 3:12 AM, Stefan Richter wrote:
> This must be a problem that many of us here face.
> My users need to log into a website which uses PHP. They are
> authenticated
> via PHP/Mysql. Now I have a swf (chat app) and I want to avoid my users
> having to log on again to use the chat.
> Is there a way to put the swf/user into the current session scope?
> Usually
> one could pass some data to the swf via Flashvars but that seems
> pretty easy
> to hack.
>
> Or do I need to deploy a full blown ticketing system? And if so, how
> can I
> avoid users having to log in twice, once via php and once via swf?
>
> Or would this work:
> 1) Pass in userid and sessionid on load of chat page
> 2) Flash send sessionid and userid to php script
> 3) php script checks sessionid against userid
> 4) If session id and userid match, return username, gender etc etc
>
> But after logging in via PHP, will the page that I call from within
> Flash
> actually be in the session scope? We'll test it but I'd still be keen
> how
> others secure their Flashcom apps.
>
> Stefan
>
>
> =-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
|
|
|
|
|