Just remember that the shared object is a plain-text storage device and by default its contents are not encrypted. Hashing would help - but will only deter the casual/inexperienced hacker. A hardened approach will require more design time. Since the shared object is essentially cookies for Flash. I've found it helpful to look at 'remember me' best practices for standard browser cookies.
http://jaspan.com/improved_persistent_login_cookie_best_practice As a rule. if your system requires a logon - you've already answered the question about the need to secure your data. so - the question about hardening the system to attacks should follow suit. The 'remember me' box is an open invitation to a hacker - and is a good first stop for getting around security. Let me say that a different way; by including remember me functionality in your site you have opened a door that can/will circumvent any system security you put into place - unless you integrate countermeasures into your design that minimize the risk associated with the remember me functionality. Rick Winscot From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Beau Scott Sent: Tuesday, March 04, 2008 1:26 PM To: [email protected] Subject: RE: [flexcoders] A persistent logon system in flex? Store it in a local SharedObject maybe? I'd make a hash that could be validated by whatever your authentication system is rather than the clear text user/pass though. Beau From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of mbhoisie Sent: Tuesday, March 04, 2008 11:13 AM To: [email protected] Subject: [flexcoders] A persistent logon system in flex? I'm trying to implement a "remember me" feature in a Flex/BlazeDS application. This is where users enter their credentials in a flex message box, and something identifying their logon session is stored on the flex client, even if they close and re-open the application. I've been looking at storing this information in attributes on FlexSession and FlexClient, but these are temporary, and any attributes get deleted when the application is closed. Has anyone been able to do this, without reverting to an ugly ajax bridge? The server-side is a simple tomcat servlet. Thanks! Mike No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.21.4/1310 - Release Date: 3/4/2008 8:35 AM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.21.4/1310 - Release Date: 3/4/2008 8:35 AM
<<image001.jpg>>
<<image002.jpg>>
