You can assign a basic "role" to add make sure that folks have been authenticated on a cfc framework before accessing that said CFC in general (which is good practice as in many ways if its public, you don't want people firing off cfc's based on what you've made exposed)
That being said, treat it much the same way you would HTML+CFMX. Never assume FLEX has total control and when need to always check their authentication information per method request if need be. I've basically setup the following: - A xxxAppContextGateway.cfc, with the role "app_name_hereFLEX" on all "remote methods exposed" - xxxAppContextGateway.cfc knows where to get various other CFC's within the model, some being cfmx based, others could be java, basically its a "facade" in manyways to the model. - With regards to authentication, i provide a typical username/password form, ask the user to fill out that information. Now since I use the same form/mxml for various applications, part of my mx:Application custom properites, i assign an APPCODE (ie IWF08-ITM), this code also get sent to my securityGateway.cfc. Inside this security gateway, based on code mappings it will authenticate that details against that person(s) and store various properties in session scope, aswell as CFLOGIN with their respective roles. (NOTE: A login form can send a comma delim APPCODE for multiple application logins). >From here on out the typical setup works where a session scope follows them around until they basically timeout. I had to sadly make a timer setting, that basically pinged the server every 5mins to reset their 10min timeout aswell as to see if they are still valid/logged in (FSC+Application.cfc / onSessionEnd would of been good here but anyway). I also, due to Audit Requirments in my current FLEX app am required to log certain activities client-side (ie UserXYZ clicked on View Invoice0001) which I basically log server-side, this also did another layer of security to first determine if that user had access to that invoice (some where marked private, and have strict assignees associated to it, so again, there was another handshake layer attached to see if i can perform that action) hope that helps? On 7/12/05, a1111111111111 <[EMAIL PROTECTED]> wrote: > I did some quick searching and didn't come up with anything too > difinitive on this. Coming from a typically ColdFusion only > environment, I usually roll my own login security with session > variables. I'm trying to get a firm understanding of what everyone > considers the best practice for flex login security when using > ColdFusion remoting. > > My thoughts are that putting roles on all my cfc's and calling > cflogin > with flash remoting would log the user into the role, and then if / > when they are logged out a call to a remoting method will fail if > they > aren't in their role, and the remoting 'fault' can be fired to cause > flex to show the login screen again. > > Is this the best method, or do most of you roll your own cfc security > function? or can you do something with the session object in Flex? > > -Thanx > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > > > > > > -- Regards, Scott Barnes http://www.mossyblog.com -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/