Nick, Thanks for the reply... One question, if you are using SSL, why are you also encrypting the data through the application?
I also saw mention in several presentations that Flex apps are being used by financial institutions, so this must have been tackled already in an "enterprise" security setting. Is it a full custom activity to implement strong security for flex applications? Thanks JK --- In [email protected], "Nick Collins" <[EMAIL PROTECTED]> wrote: > > The way I have been doing it, while admittedly probably not best, is this: > > I have all my roles and user information in my database. When the user types > in their username and password, it is encrypted, sent to the CFC which > decrypts it, and runs a query against the database. If the authentication is > successful, it ecrypts and returns the users data (name, role, etc.) to the > flex frontend, which then decrypts it and displays the information they have > access to. The roles table of my database has flags for different sections > of the app, and it has to return a positive value to open up access to view, > or to edit, that section. The encryption key for the AES encryption is > stored in an external XML file and is read in when the app loads. > Additionally, I send the data via SSL. > > Is it hacker-proof, probably not, but what is? It at least makes it enough > of a pain that I haven't had any problems. > > On 4/2/07, ripe101 <[EMAIL PROTECTED]> wrote: > > > > OK, I have only found several posts asking, and many answers that don't > > seem to really > > address the issue. > > > > How is user authentication and session management handled best in Flex? > > Taking into > > consideration the following: > > > > * All business logic is server side and available only to an authenticated > > user (and only the > > components they have access to). > > * Cannot reverse engineer the flash file to gain access to the server > > side. > > * Each server side call must be authenticated. > > * Preferably the main application is not downloaded until the user is > > authenticated. > > > > I saw suggestions on authenticating the user and then storing the roles on > > the client, this > > seems very insecure, as the user could potentially write their own app and > > stick roles in > > that client side variable. > > > > I got the few books on Flex that are out there, but none of them really > > cover this critical > > issue. Maybe I'm missing something basic? > > > > Thanks > > JK > > > > > > >
