RE: [flexcoders] A persistent logon system in flex?

2008-03-25 Thread Rick Winscot 
Just remember that the shared object is a plain-text storage device and by
default its contents are not encrypted. Hashing would help - but will only
deter the casual/inexperienced hacker. A hardened approach will require more
design time. Since the shared object is essentially cookies for Flash. I've
found it helpful to look at 'remember me' best practices for standard
browser cookies.  

 

http://jaspan.com/improved_persistent_login_cookie_best_practice

 

As a rule. if your system requires a logon - you've already answered the
question about the need to secure your data. so - the question about
hardening the system to attacks should follow suit. The 'remember me' box is
an open invitation to a hacker - and is a good first stop for getting around
security. Let me say that a different way; by including remember me
functionality in your site you have opened a door that can/will circumvent
any system security you put into place - unless you integrate
countermeasures into your design that minimize the risk associated with the
remember me functionality.

 

Rick Winscot

 

 

From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Beau Scott
Sent: Tuesday, March 04, 2008 1:26 PM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] A persistent logon system in flex?

 

Store it  in a local SharedObject maybe?

 

I'd make a hash that could be validated by whatever your authentication
system is rather than the clear text user/pass though.

 

Beau

 

 

From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of mbhoisie
Sent: Tuesday, March 04, 2008 11:13 AM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] A persistent logon system in flex?

 

I'm trying to implement a remember me feature in a Flex/BlazeDS 
application. This is where users enter their credentials in a flex 
message box, and something identifying their logon session is stored on 
the flex client, even if they close and re-open the application. 

I've been looking at storing this information in attributes on 
FlexSession and FlexClient, but these are temporary, and any attributes 
get deleted when the application is closed. 

Has anyone been able to do this, without reverting to an ugly ajax 
bridge? The server-side is a simple tomcat servlet. 

Thanks!
Mike

 

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.4/1310 - Release Date: 3/4/2008
8:35 AM

 

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.4/1310 - Release Date: 3/4/2008
8:35 AM

 

image001.jpgimage002.jpg

Re: [flexcoders] A persistent logon system in flex?

2008-03-04 Thread Derrick Anderson 
can you use sharedobjects?

On Tue, Mar 4, 2008 at 1:13 PM, mbhoisie [EMAIL PROTECTED] wrote:

   I'm trying to implement a remember me feature in a Flex/BlazeDS
 application. This is where users enter their credentials in a flex
 message box, and something identifying their logon session is stored on
 the flex client, even if they close and re-open the application.

 I've been looking at storing this information in attributes on
 FlexSession and FlexClient, but these are temporary, and any attributes
 get deleted when the application is closed.

 Has anyone been able to do this, without reverting to an ugly ajax
 bridge? The server-side is a simple tomcat servlet.

 Thanks!
 Mike

RE: [flexcoders] A persistent logon system in flex?

2008-03-04 Thread Beau Scott 
Store it  in a local SharedObject maybe?

 

I’d make a hash that could be validated by whatever your authentication
system is rather than the clear text user/pass though.

 

Beau

 

 

From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of mbhoisie
Sent: Tuesday, March 04, 2008 11:13 AM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] A persistent logon system in flex?

 

I'm trying to implement a remember me feature in a Flex/BlazeDS 
application. This is where users enter their credentials in a flex 
message box, and something identifying their logon session is stored on 
the flex client, even if they close and re-open the application. 

I've been looking at storing this information in attributes on 
FlexSession and FlexClient, but these are temporary, and any attributes 
get deleted when the application is closed. 

Has anyone been able to do this, without reverting to an ugly ajax 
bridge? The server-side is a simple tomcat servlet. 

Thanks!
Mike

 

 

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.4/1310 - Release Date: 3/4/2008
8:35 AM


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.21.4/1310 - Release Date: 3/4/2008
8:35 AM
 

image001.jpgimage002.jpg