The way I have been doing it, while admittedly probably not best, is this:
I have all my roles and user information in my database. When the user types in their username and password, it is encrypted, sent to the CFC which decrypts it, and runs a query against the database. If the authentication is successful, it ecrypts and returns the users data (name, role, etc.) to the flex frontend, which then decrypts it and displays the information they have access to. The roles table of my database has flags for different sections of the app, and it has to return a positive value to open up access to view, or to edit, that section. The encryption key for the AES encryption is stored in an external XML file and is read in when the app loads. Additionally, I send the data via SSL. Is it hacker-proof, probably not, but what is? It at least makes it enough of a pain that I haven't had any problems. On 4/2/07, ripe101 <[EMAIL PROTECTED]> wrote:
OK, I have only found several posts asking, and many answers that don't seem to really address the issue. How is user authentication and session management handled best in Flex? Taking into consideration the following: * All business logic is server side and available only to an authenticated user (and only the components they have access to). * Cannot reverse engineer the flash file to gain access to the server side. * Each server side call must be authenticated. * Preferably the main application is not downloaded until the user is authenticated. I saw suggestions on authenticating the user and then storing the roles on the client, this seems very insecure, as the user could potentially write their own app and stick roles in that client side variable. I got the few books on Flex that are out there, but none of them really cover this critical issue. Maybe I'm missing something basic? Thanks JK