3 Replies Latest reply on Jan 7, 2011 2:22 PM by xkxtnt

    Flex RemoteObject to CF8  security&channel

    ProjectedSurplus Level 1
      I'm a newbie converting a cfm site to flex and have a question regarding the security implications of managing state on the client.

      In my cfm site I set a SESSION.variable for "isSignedIn" which CF server stores and (via CFToken cookie accompanying subsequent page requests) associates with say OwnerID=17. Thus the client machine does not ever receive OwnerID=17.

      However, a flex app using <mx:RemoteObject> changes state upon successful signIn -- but how does the CF server know that subsequent data requests from that app are for OwnerID=17 unless OwnerID=17 is stored on the client machine and accompanies every "message"?

      I've researched fairly extensively and figure that IF (I'm not sure) <mx:RemoteObject> establishes a "constant" (until signed out) pipe/channel to the CF server then the "header" OwnerID=17 is not necessary -- but I'm not sure if this is so or if <mx:RemoteObject> is NOT a "constant" channel but only a when called message out & return structure a la HTTP.

      And if it is a constant channel, what are the performance implications on the CF server of this (seems it would be a drain of resources). Presumably as well, the "constant" channel could only be closed by the client (there not seeming to be any SESSION.variable like settings???)

      I realize there are encryption protections available both for storage on the client and for in transit data packets but am I correct in asserting that sending OwnerID=17 down to the client at any time is a security risk (ie. motivating the duplication of a GUID based stored object -- aka SESSION variable -- analogy for my application)?

      Thanks in advance for all comments and feedback.