7 Replies Latest reply on Mar 5, 2007 1:49 PM by kglad

    login - password protected content/page

    Freeky_Bonjela Level 1
      I scanned the net for the best way to provide a login protection for the site I am working on. One that enables those with the relevant username and password to access a page that holds protected content.
      The method I have put in place is inherently coded in flash and utilises a separate text file to hold the username and password information.
      It all works swimmingly telling the user if they have the wrong info, and logs them in nicely when the correct details have been typed in. But I discovered a major flaw in it recently that has me baffled.
      If you type in any random text into both the username and password input boxes, then delete it all, you can then click the login button and heh presto you're in. Not very good at all.
      You can see this in action as the site is up and running at www.safetybusiness.co.uk
      Go to the VIP page.

      There are two input text boxes with the variables 'loginname' and 'loginpass' and a dynamic text box called 'status'
      Here is the code i have given the login button:

      on (release, keyPress "<Enter>") {
      if (loginname != undefined and loginpass != undefined) {
      if (eval(loginname) eq loginpass) {
      loginname = "";
      loginpass = "";
      gotoAndStop(132);
      } else {
      status = "login details incorrect";
      }
      }
      }

      Any ideas would be greatly appreiciated....or a suggestion for an alternative successful method would also be most welcome.
        • 1. Re: login - password protected content/page
          SymTsb Level 2
          PHP and mySQL would be a much better solution for anything that is protected content.

          I would never ever use a text file to store user names and passwords for any site unless I was ok with that content being accessed by the general public. Another flaw that you may not have stumbled across yet involves someone pulling apart your swf and finding out the location of that text file on the server and downloading it to their local drive....no more mystery there.

          PHP and mySQL have their issues as well but they are not as easily accessible or undone as simple text is. That's just my 2 cents.
          • 2. Re: login - password protected content/page
            tonyhigham Level 1
            First, I would definitely echo SymTsb's suggestion about using PHP and MySQL. There are lots of free resources online that will help you with salting, hashing, and storing username/password combos in a much more secure manner than this.

            However, to answer the question you asked instead of just dropping unsolicited advice, the problem is that your variables will never be undefined just because no text was entered. instead, they will be empty strings ("").

            so, just change your first conditional to:

            if (loginname and loginpass) {

            this will check that the strings are not empty, i.e. that text has been entered.
            • 3. Re: login - password protected content/page
              Freeky_Bonjela Level 1
              Thanks for your advice. I realise PHP and mySQL would be more secure, but as yet I have been unable to locate a tutorial or the necessary code to enable that method to work. This was the frist way I found that at least achieved what I was trying to do.
              Obviously the flaw I mentioned has now deemed this solution unworkable as it stands....I tried chaging my first conditional to what you recommended tony, but now when i hit login nothing happens at all. No error msg no nothing.
              If either of you could point me in the direction of a PHP tutorial for this i would be very grateful.
              • 4. Re: login - password protected content/page
                tonyhigham Level 1
                gotoAndLearn.com has an excellent tutorial on how to perform basic MySQL queries from Flash via PHP (just scroll down the list, its easy to find). To make it worthwhile, however, you need to avoid sending plain-text password information to the server, which means you need to do your hashing client side in either Flash or Javascript. I would suggest Flash, because since the code will be almost identical either way, there's no since round-tripping to Javascript.

                THAT being said, you could write your own custom hashing algorithm, which has the benefit that someone would have to brute-force it from scratch, but is a pain to develop. Or you could download an actionscript implementation of a standard hash, like MD5. This will be copy/paste easy, but perhaps less secure.

                You can find a ready-made AS MD5 here:
                http://www.secureplay.com/product-docs/MD5-Message-Digest.htm

                So an example of your security setup would be to hash the user info in flash, sendAndLoad it ( or remote it if youre feeling ambitious) to PHP, which will compare it with the stored info in mySQL, then send you back a boolean in your onLoad callback (or remoting callback).

                The basic PHP, mySQL, and sendAndLoad info you can find in the gotoAndLearn tutorial, and you can use the hashing function from the link I provided. Let me know if you have any questions...
                • 5. Re: login - password protected content/page
                  Freeky_Bonjela Level 1
                  Thanks for your continuing help. However after looking at the link you gave me I think with the level of my current knowledge the process goes way over my head. As much as I would like to eventually the best and safest method of achieving a secure login, at the moment I really just need something simple, and a password file that my client will easily be able to amend. That is why I felt, even though its isn't very secure, using a txt file would suffice. The information that they will want to offer in the vip area won't be of a nature that would leave their business open to harm. It is just to provide an added bonus to the clients of theirs that they have a closer working relationship with.
                  If you have any idea why my first query is happening, then it would be great if you could help.
                  When i have more time, i'll try and teach myself mySQL and PHP.
                  thanks again.
                  • 6. Re: login - password protected content/page
                    Level 7
                    Thanks for your continuing help. However after looking at the link you gave me
                    I think with the level of my current knowledge the process goes way over my
                    head. As much as I would like to eventually the best and safest method of
                    achieving a secure login, at the moment I really just need something simple,
                    and a password file that my client will easily be able to amend. That is why I
                    felt, even though its isn't very secure, using a txt file would suffice. The
                    information that they will want to offer in the vip area won't be of a nature
                    that would leave their business open to harm. It is just to provide an added
                    bonus to the clients of theirs that they have a closer working relationship
                    with.
                    If you have any idea why my first query is happening, then it would be great
                    if you could help.
                    When i have more time, i'll try and teach myself mySQL and PHP.
                    thanks again.

                    • 7. Re: login - password protected content/page
                      kglad Adobe Community Professional & MVP
                      your code is setup to allow anyone that uses the same text in your two textfields.