this is really getting off the topic of Flex Componentry, but this conversation, inc Beau Scott's comments are (IMHO) extremely valuable.
this is the part that I'm stuck on: "However, if your Flex application is just a face to a web application and you need access to the session variables for certain display issues, then make a service request to retrieve what you need into your application." especially this bit: "You really shouldn't be sending session information up and down from the server (except maybe a session identifier) as this opens the gate for someone to hijack the service request and alter values that could have unpredictable effects on your application." If the user has been authenticated previously (HTML pages), how do you then get Flex to 1) keep the session alive on the server? 2) ensure the Flash Remoting requests are coming from a specific authenticated user? thanx barry.b On Nov 20, 2007 7:47 AM, Beau Scott <[EMAIL PROTECTED]> wrote: > > > > > > > Just a bit of advice regarding storing session information on the client > (flex) application: it is not secure. This really gets down into MVC dogma > (and second MVC layer that Flex introduces) and asks the question: Where are > you doing your heavy lifting? > > If you're doing most of your computation in your flex application, then > sure... use application variables inside your application or SharedObjects. > > However, if your Flex application is just a face to a web application and > you need access to the session variables for certain display issues, then > make a service request to retrieve what you need into your application. You > really shouldn't be sending session information up and down from the server > (except maybe a session identifier) as this opens the gate for someone to > hijack the service request and alter values that could have unpredictable > effects on your application. > > Beau > > > > > On Nov 19, 2007 11:51 AM, Jeffry Houser <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > In the ColdFusion world, session variables are used to get around the > > stateless of a browser. Cookies are passed back and forth between each > > page request, which the server ties into "in memory" variables. > > > > From what I understand, in the .NET world the concept is very similar, > > except that .NET stores session variables in a database, not in memory. > > ( I could be completely wrong ). > > > > In a Flex application, you aren't performing multiple page requests in > > the same vein that you would when serving dynamically generated HTML, > > and therefore don't need session variables. > > > > Store your "session" state as part of the Flex application, not on the > > remote server. > > > > > > honoraryvato wrote: > > > > > > > > > I did some research on session variables with Flex. The only options > > > that I can see is to either have the .NET page that the SWF is on to > > > check if there is already a session variable or not and then use > > > something like FlashVars to load it in. Another option is to have Flex > > > itself call out to a page that then checks the session. Are these the > > > only two options? As there a nicer way for Flex to read/write session > > > variables? > > > > > > > -- > > Jeffry Houser, Technical Entrepreneur, Software Developer, Author, > > Recording Engineer > > AIM: Reboog711 | Phone: 1-203-379-0773 > > -- > > My Company: <http://www.dot-com-it.com> > > My Podcast: <http://www.theflexshow.com> > > My Blog: <http://www.jeffryhouser.com> > > > > > > > > -- > Beau D. Scott > Software Engineer >
