I wouold make a GUID or UUID token for this purpose. One type of token for Anonymous access and another type of token for Authenticated access.
I leave it up to you to determine how to differentiate the two types of tokens. If I were using HTTPService calls (REST) I would make a subclass for HTTPService to handle the way my tokens were being sent to the destination and the rest (no pun intended) would take care of itself. ----- Original Message ---- From: Tony Obermeit <[EMAIL PROTECTED]> To: [email protected] Sent: Thursday, April 5, 2007 4:08:38 PM Subject: [flexcoders] Re: User authentication I've been following this thread with great interest as I need to solve same issue. My understanding is we can set credentials on the HttpService but I don't want this to be the username / password entered by the user, that is a separate layer. I want to protect my calls to the HttpService even if the user has not logged in, an "anonymous" access. But I don't see how a HTTPS connection solves my issue. HTTPS will ensure the communication between the client (browser / flash) and the http server is encrypted but it doesn't control what the client does with the data it gets back. If I can implement the hashing or encryption logic mentioned in flash, doesn't that mean a hacker can implement the exact same code in javascript and then be able to access the same secure http call my flash application can? If the swf file includes the key used to hash / encrypt, then the swf file could be decompiled or otherwise inspected to find the key? Thanks again guys for perservering with this thread. Tony Posted by: "André Rodrigues Pena" [EMAIL PROTECTED] com techbreak2 Thu Apr 5, 2007 2:37 pm (PST) Thanks again for your help Ray and Peter.. I am actually a little lost. All I want is to guarantee that the user name and password that will go from Flex HTTPService to my JSP web-service will not be intercepted. And I'm also lost about how will I maintain the session with the HTTPService. Cookies dont seem to be possible, URL rewriting is possible mas I'll have to see how will I do that. At the moment of the login, my service will have to pass me a key or something like that. (as someone already mentioned) That I will use along with the other services... I'm lost. lol
