Well the thing about this application is, I don't own the server. I'm using a 3rd party Internet web service (salesforce.com in this case). So I can't change the way the server authenticates people - actually it does so in a very rational way anyway. The requirement was simply to save the user the pain of having to type in their username and password every single time they hit my app since the browser auto-fill feature doesn't work for Flex apps. It's easy to store the username because I can throw it into a SharedObject because it's not sensitive, but for the password the salesforce.com security requirements are such that you can only store local passwords if you encrypt them and you can't store the encryption key in the code. Anyway, thanks for everybody's input but it looking like this requirement just isn't going to make sense, so I think I will push to just have the username saved but not the password.
Ryan --- In flexcoders@yahoogroups.com, "Paul Andrews" <[EMAIL PROTECTED]> wrote: > > It's effectively wanting to have a browser cookie that remembers your > session. It's clearly open to all kinds of abuse, encrypted or not. I'd make > darn sure that whoever raised this as a requirement was well aware of the > dangers - if only to cover my own back. > > Even with this requirement not to have to log on between sessions, there's > no need to keep the username or password locally. > > When the user logs on, the user provides a login name and password to the > webservice - as per normal. The webservice passes back a session key. > > This key should be encrypted but should not have the username or password in > it. I would suggest a session identifier of some kind (that is mapped on the > server back to the username), a sequence id(that changes on every exchange > with the server - it could be a timestamp), plus anything else you can think > of - checksum, etc.. This key cannot be interpreted by a third party as > belonging to a particular user, nor does it hold password information. > > Whenever the client requests something of the server it passes the key, but > no login information (as well as other perameters relating to the request). > The server decodes the key and looks up the session information. It can > associate the key with a specific user, it also expects the key to have the > same key sequence id that was sent the last time around. If the key sequence > is invalid (perhaps the client died before the key could be saved on the > client, or perhaps the message was lost), the server can request that the > client re-submits login information. It will expect the same user to > re-login, or the session will be invalidated. > > Once the session is verified, the server can return the information > requested to the client. it also passes back a new (different) session key > to replace the old one. The whole thing repeats. The server can time out > keys that aren't used and it prevents 'stolen' keys from having any value > once the genuine client has initiated a new transfer. > > The user is at liberty to login on another machine at any time - it either > invalidates the session key associated with the other machine, or continues > in that session context. You can also time-out sessions across any period > you like. If a user logs out on the client, the local session key should be > removed on both client and server. > > I hope that explains the idea - it's baton passing between client and server > and the baton changes on every exchange. The server knows what baton to > expect for the next exchange and if anything gets out of kilter, it just > rerequests that the client logs in again. The username and password are > never stored permamently on the client. > > Hope that helps. Don't store the password! > > Paul > > ----- Original Message ----- > From: "Jeffry Houser" <[EMAIL PROTECTED]> > To: <flexcoders@yahoogroups.com> > Sent: Wednesday, December 05, 2007 2:31 AM > Subject: Re: SPAM-LOW: [flexcoders] Re: Local storage of password > > > > > > ( Thanks for listening; glad you enjoy ) > > > > You are working on an application with very odd security requirements. > > I almost think you'd be better off with a completely open web service. > > > > You might store the encryption key in a database or server side / non > > web accessible XML and use some form of remoting (or at least SSL) to > > pass it back and forth to the Flex client. > > > > > > > > rmarples wrote: > >> > >> > >> Hi Jeff - Thanks for the response. By the way, great podcast :) > >> > >> I will look into the encryption libraries that both you and William > >> mentioned but I'm > >> wondering how they handle the encryption key. I have a requirement that > >> I can't store the > >> encryption key in the source code as a string literal. I'm wondering if > >> you or anybody else > >> has ideas on how to handle this? > >> > >> Ryan > >> > >> --- In flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com>, > >> Jeffry Houser <jeff@> wrote: > >> > > >> > > >> > Yes, MD5 is a hashing algorithm and it is unlikely you'd be able to > >> > take a hash and get the original text (in a timely / efficient > >> manner). > >> > > >> > There are a few AS3 encryption projects. ASCrypt3: > >> > ascrypt3.riaforge.com and Crypto http://crypto.hurlant.com/ > >> <http://crypto.hurlant.com/> > >> > > >> > Both of them have 2-way encryption algorithms you could use. AES > >> > perhaps? That said, I worry about the security implications of storing > >> > this type of authentication between application uses. > >> > > >> > rmarples wrote: > >> > > > >> > > > >> > > Tracy - Isn't MD5 a hashing algorithm? Meaning I can only encrypt, > >> not > >> > > decrypt? I don't > >> > > think this would work for this scenario would it? > >> > > > >> > > Ryan > >> > > > >> > > --- In flexcoders@yahoogroups.com > >> <mailto:flexcoders%40yahoogroups.com> > >> <mailto:flexcoders%40yahoogroups.com>, > >> > > "Tracy Spratt" <tspratt@> wrote: > >> > > > > >> > > > There is an MD5 library available for AS3 that I have used. > >> > > > > >> > > > > >> > > > > >> > > > Tracy > >> > > > > >> > > > > >> > > > > >> > > > ________________________________ > >> > > > > >> > > > From: flexcoders@yahoogroups.com > >> <mailto:flexcoders%40yahoogroups.com> > >> > > <mailto:flexcoders%40yahoogroups.com> > >> [mailto:flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> > >> > > <mailto:flexcoders%40yahoogroups.com>] On > >> > > > Behalf Of rmarples > >> > > > Sent: Monday, December 03, 2007 4:59 PM > >> > > > To: flexcoders@yahoogroups.com > >> <mailto:flexcoders%40yahoogroups.com> > >> <mailto:flexcoders%40yahoogroups.com> > >> > > > Subject: [flexcoders] Local storage of password > >> > > > > >> > > > > >> > > > > >> > > > I have a requirement to take credentials used for an external web > >> > > > service and cache them > >> > > > locally so that the user need not re-type their password each > >> time they > >> > > > run the app. I can > >> > > > easily store these credentials in a SharedObject (cookie) but I > >> don't > >> > > > want to store the > >> > > > password in plain-text here. Does anybody have any > >> recommendations on an > >> > > > ecrypt/decrypt > >> > > > mechanism I can use for this? Also I have a requirement that any > >> key > >> > > > used to encrypt can not > >> > > > be stored in the source code as a string literal. > >> > > > > >> > > > Ryan > >> > > > > >> > > > >> > > > >> > > >> > -- > >> > Jeffry Houser, Technical Entrepreneur, Software Developer, Author, > >> > Recording Engineer > >> > AIM: Reboog711 | Phone: 1-203-379-0773 > >> > -- > >> > My Company: <http://www.dot-com-it.com <http://www.dot-com-it.com>> > >> > My Podcast: <http://www.theflexshow.com <http://www.theflexshow.com>> > >> > My Blog: <http://www.jeffryhouser.com <http://www.jeffryhouser.com>> > >> > > >> > >> > > > > -- > > Jeffry Houser, Technical Entrepreneur, Software Developer, Author, > > Recording Engineer > > AIM: Reboog711 | Phone: 1-203-379-0773 > > -- > > My Company: <http://www.dot-com-it.com> > > My Podcast: <http://www.theflexshow.com> > > My Blog: <http://www.jeffryhouser.com> > > > > > > > > -- > > Flexcoders Mailing List > > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > > Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com > > Yahoo! Groups Links > > > > > > > > >
