In response to other parts of this tread.... if the var is really a session var then it shouldn't be stored anywhere where it would persist beyond the session, like in a cookie or in the LocalSharedObject.
On Nov 19, 2007, at 4:33 PM, Barry Beattie wrote: > this is really getting off the topic of Flex Componentry, but this > conversation, inc Beau Scott's comments are (IMHO) extremely valuable. > > this is the part that I'm stuck on: > > "However, if your Flex application is just a face to a web application > and you need access to the session variables for certain display > issues, then make a service request to retrieve what you need into > your application." > > especially this bit: > > "You really shouldn't be sending session information up and down from > the server (except maybe a session identifier) as this opens the gate > for someone to hijack the service request and alter values that could > have unpredictable effects on your application." > > > If the user has been authenticated previously (HTML pages), how do you > then get Flex to > 1) keep the session alive on the server? What I have done in the past is have a periodic task run that pings the server to keep the session going. I listen for the idle event on the SystemManager for this. I also keep track of how many times this has happened without any user activity. I don't want this session to be indefinite, so I will do a logout after a certain period. > > 2) ensure the Flash Remoting requests are coming from a specific > authenticated user? In some cases I pass a sessionid around, but for the most part the browser takes care of this with cookies. > > > thanx > barry.b > > > > > > On Nov 20, 2007 7:47 AM, Beau Scott <[EMAIL PROTECTED]> wrote: >> >> >> >> >> >> >> Just a bit of advice regarding storing session information on the >> client >> (flex) application: it is not secure. This really gets down into >> MVC dogma >> (and second MVC layer that Flex introduces) and asks the question: >> Where are >> you doing your heavy lifting? >> >> If you're doing most of your computation in your flex application, >> then >> sure... use application variables inside your application or >> SharedObjects. >> >> However, if your Flex application is just a face to a web >> application and >> you need access to the session variables for certain display >> issues, then >> make a service request to retrieve what you need into your >> application. You >> really shouldn't be sending session information up and down from >> the server >> (except maybe a session identifier) as this opens the gate for >> someone to >> hijack the service request and alter values that could have >> unpredictable >> effects on your application. >> >> Beau >> >> >> >> >> On Nov 19, 2007 11:51 AM, Jeffry Houser <[EMAIL PROTECTED]> wrote: >>> >>> >>> >>> >>> >>> >>> >>> In the ColdFusion world, session variables are used to get around >>> the >>> stateless of a browser. Cookies are passed back and forth between >>> each >>> page request, which the server ties into "in memory" variables. >>> >>> From what I understand, in the .NET world the concept is very >>> similar, >>> except that .NET stores session variables in a database, not in >>> memory. >>> ( I could be completely wrong ). >>> >>> In a Flex application, you aren't performing multiple page >>> requests in >>> the same vein that you would when serving dynamically generated >>> HTML, >>> and therefore don't need session variables. >>> >>> Store your "session" state as part of the Flex application, not on >>> the >>> remote server. >>> >>> >>> honoraryvato wrote: >>>> >>>> >>>> I did some research on session variables with Flex. The only >>>> options >>>> that I can see is to either have the .NET page that the SWF is on >>>> to >>>> check if there is already a session variable or not and then use >>>> something like FlashVars to load it in. Another option is to have >>>> Flex >>>> itself call out to a page that then checks the session. Are these >>>> the >>>> only two options? As there a nicer way for Flex to read/write >>>> session >>>> variables? >>>> >>> >>> -- >>> Jeffry Houser, Technical Entrepreneur, Software Developer, Author, >>> Recording Engineer >>> AIM: Reboog711 | Phone: 1-203-379-0773 >>> -- >>> My Company: <http://www.dot-com-it.com> >>> My Podcast: <http://www.theflexshow.com> >>> My Blog: <http://www.jeffryhouser.com> >>> >>> >> >> >> >> -- >> Beau D. Scott >> Software Engineer >>
