Folks,

    I wonder if you could possibly help me here. We are developing a mobile app using the Flex/AIR 4. framework with eventual hopes to target iOS, Android and Blackberry. One of our major components to our app will be the need to reach out and talk to our main website (ASP .NET running on IIS) via SOAP to gather sensitive data to present to the client. To this end, I need my mobile application to be able to communicate with my ASP .NET SOAP webservice via HTTPS (SSL certificate for encryption) and work with ASP .NET FormsAuthentication for session management. I.e. the first call from the mobile app to the webservice will carry credentials to 'log in' the user to the website and subsequent calls will use the created session from the first call on the ASP .NET side to authorize the user to proceed.

We are running into two MAJOR problems which are making me think of throwing out Adobe and going for some other development platform (or even switching to naitive app development). Those are:

1. When using webservice (com.macreportmedia.webservice.FlexWebService) to define our webservice connection (going through the webservice wizard in the Flash Builder) the produced output when run, does not communicate with the ASP .NET webservice using SSL. Even if we specify HTTPS as part of the WSDL path (for example, https://<my url>/services/FlexWebService.asmx?WSDL), at run time, our traffic is not being encrypted - if I use a HTTP sniffer (HTTP Debugger pro in this case) I see that all SOAP calls are still being passed back and forth in clear text over HTTPS port (443) but NOT encrypted.
2. My second problem is just as serious - Session is not being maintained across calls. On the ASP .NET side of things I have the services set up correctly and I've verified this by making multiple soap calls via  a .NET MFC client I built as well as a simple java app and in both cases after the initial SOAP login call, subsequent calls are able to reuse the session appropriately. This seems to be something tied to the Flex AIR webservice itself. Using HTTP sniffing, it would appear that my HTTP headers contain the cookie and forms keys correctly - maybe I should be doing something with my SOAP headers?

All in all, I am finding searching for answers to be a very frustrating experience as it is near-impossible to find any examples of Flex/Air that is deployed as a mobile app as opposed to running in a web browser which has a completely different set of issues/challenges. I'd love ANY feedback from anyone on what we are doing, any suggestions, solutions or even to hear that we are being idiots and what we are trying will never work!

Now for some example code of what we are doing:

In the flash builder, we use the WebService wizard to build the service - note I've kept localhost as my URL for the sake of example:

        <webservice:FlexWebService id="flexWebService" result="stopTimer()" fault="HandleDataFetchError(event)"
                                    wsdl="http://localhost/FlexWebService.asmx.wsdl"
                                    destination="https://localhost/services/FlexWebService.asmx">
            
        </webservice:FlexWebService>
        <s:CallResponder id="GetDistributedReleasesResult"/>

This generates the FlexWebService and _Super_FlexWebService classes which I won't bother posting as I'd assume they are boiler-plate generation.

On the ASP .NET side of things, here is an example of two methods, the first being the Validate (or log in) method which creates the initial session and another call for data which would reuse the session:

    public class FlexWebService : System.Web.Services.WebService
    {
 
        [WebMethod(true)]
        public bool ValidateUser(String username, String password)
        {
            /* Validate user using membership provider */
            DomainMembershipProvider domainMembershipProvider = (DomainMembershipProvider)Membership.Providers["DomainMembershipProvider"];
            if (domainMembershipProvider.ValidateUser(username, password))
            {
                //Create session ticket
                FormsAuthenticationTicket ticket =
                    new FormsAuthenticationTicket(
                        1,
                        username,
                        DateTime.Now,
                        DateTime.Now.AddMinutes(30),
                        false,
                        "");
 
                //Encrypt the ticket
                string encrypted_ticket = FormsAuthentication.Encrypt(ticket);
 
 
                //Create cookie
                HttpCookie cookie = new HttpCookie(
                    FormsAuthentication.FormsCookieName,
                    encrypted_ticket);
 
 
                Context.Response.Cookies.Add(cookie);
 
 
                DomainMembershipUser currentUser = (DomainMembershipUser)Membership.GetUser(username);
                Context.Session[Constants.SESSION_CURRENT_USER] = currentUser.UserVO;
                return true;
            }
            return false;
        }
 
        [WebMethod(true)]
        public String GetUserName()
        {
            if (Context.User.Identity.IsAuthenticated)
            {
                UserVO userVO = (UserVO)Context.Session[Constants.SESSION_CURRENT_USER];
                return userVO.FirstName + " " + userVO.LastName;
            }
            else
            {
                /* User not authenticated so access is forbidden */
                throw new InvalidUserPermissionsException(null);
            }
        }

Please, I am at my wit's end. Any help would be appreciated!