Just remember that the shared object is a plain-text storage device and by
default its contents are not encrypted. Hashing would help - but will only
deter the casual/inexperienced hacker. A hardened approach will require more
design time. Since the shared object is essentially cookies for Flash. I've
found it helpful to look at 'remember me' best practices for standard
browser cookies.
http://jaspan.com/improved_persistent_login_cookie_best_practice
As a rule. if your system requires a logon - you've already answered the
question about the need to secure your data. so - the question about
hardening the system to attacks should follow suit. The 'remember me' box is
an open invitation to a hacker - and is a good first stop for getting around
security. Let me say that a different way; by including remember me
functionality in your site you have opened a door that can/will circumvent
any system security you put into place - unless you integrate
countermeasures into your design that minimize the risk associated with the
remember me functionality.
Rick Winscot
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Beau Scott
Sent: Tuesday, March 04, 2008 1:26 PM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] A persistent logon system in flex?
Store it in a local SharedObject maybe?
I'd make a hash that could be validated by whatever your authentication
system is rather than the clear text user/pass though.
Beau
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of mbhoisie
Sent: Tuesday, March 04, 2008 11:13 AM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] A persistent logon system in flex?
I'm trying to implement a remember me feature in a Flex/BlazeDS
application. This is where users enter their credentials in a flex
message box, and something identifying their logon session is stored on
the flex client, even if they close and re-open the application.
I've been looking at storing this information in attributes on
FlexSession and FlexClient, but these are temporary, and any attributes
get deleted when the application is closed.
Has anyone been able to do this, without reverting to an ugly ajax
bridge? The server-side is a simple tomcat servlet.
Thanks!
Mike
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.4/1310 - Release Date: 3/4/2008
8:35 AM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.4/1310 - Release Date: 3/4/2008
8:35 AM
image001.jpgimage002.jpg