I've been following this thread with great interest as I need to solve same issue.
My understanding is we can set credentials on the HttpService but I don't want this to be the username / password entered by the user, that is a separate layer. I want to protect my calls to the HttpService even if the user has not logged in, an "anonymous" access. But I don't see how a HTTPS connection solves my issue. HTTPS will ensure the communication between the client (browser / flash) and the http server is encrypted but it doesn't control what the client does with the data it gets back. If I can implement the hashing or encryption logic mentioned in flash, doesn't that mean a hacker can implement the exact same code in javascript and then be able to access the same secure http call my flash application can? If the swf file includes the key used to hash / encrypt, then the swf file could be decompiled or otherwise inspected to find the key? Thanks again guys for perservering with this thread. Tony Posted by: "André Rodrigues Pena" [EMAIL PROTECTED] techbreak2 Thu Apr 5, 2007 2:37 pm (PST) Thanks again for your help Ray and Peter.. I am actually a little lost. All I want is to guarantee that the user name and password that will go from Flex HTTPService to my JSP web-service will not be intercepted. And I'm also lost about how will I maintain the session with the HTTPService. Cookies dont seem to be possible, URL rewriting is possible mas I'll have to see how will I do that. At the moment of the login, my service will have to pass me a key or something like that. (as someone already mentioned) That I will use along with the other services... I'm lost. lol
