When you store information in a flex app that is also stored on the server, it's really not "session" information anymore, it's your model.
By your example, you wouldn't store the shopping cart information solely in your flex application, but rather store it in a session variable in your web application and retrieve that information into your flex app for display. If you stored it entirely in your Flex application, you have no validation of the data in the client against what the server would expect. It's just not good practice. What I was mainly cautioning against is storing authentication information in a web app. Remember that values in memory can be easily modified using memory hack apps without your Flex app's knowledge, which could provide a back door into your web application because you'd be dealing with unchecked data. Best practice (using your shopping cart example): 1: User clicks to add item to cart 2: Service command is issued saying to add the item to the server's cart session 3: (and this can either be a subsequent action or the result of the first call) A list is retrieved of the current cart items according to the server 4: rinse and repeat till cart is complete 5: on checkout, the items in the cart are not sent from the client up, since the server is already aware of what it has (means you can't inject unchecked data into the cart, or if you do, it has no impact on the application). Only new information is sent up, like customer addresses, etc. I know this is all basic MVC stuff, but I just wanted to be clear about my cautionary statement. Beau From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Houser Sent: Monday, November 19, 2007 4:13 PM To: [email protected] Subject: [flexcomponents] Re: Session variables --- In [email protected] <mailto:flexcomponents%40yahoogroups.com> , "Beau Scott" <[EMAIL PROTECTED]> wrote: > > Just a bit of advice regarding storing session information on the client > (flex) application: it is not secure. Can you elaborate as to why storing info a Flex application is not secure? > However, if your Flex application is just a face to a web application and > you need access to the session variables for certain display issues, then > make a service request to retrieve what you need into your application. You > really shouldn't be sending session information up and down from the server Why not? It sounds to me like you are coming from the perspective that sessions are storing sensitive data; but I can envision many applications where that is not the case. For example, take a shopping cart (which seems to be a common example for web applications). In the "old world", you may create a session variable to be the shopping cart and store items that the user has added to the cart. Each cart item probably consists of a ProductID, a quantity, and perhaps a price. If you are building a Flex shopping cart, then it seems to make sense to store that information as variables in the Flex client instead of in session variables on a server. -- Jeffry Houser, Technical Entrepreneur, Software Developer, Author, Recording Engineer AIM: Reboog711 | Phone: 1-203-379-0773 -- My Company: <http://www.dot-com-it.com> My Podcast: <http://www.theflexshow.com> My Blog: <http://www.jeffryhouser.com>
