Use ColdFusion Greg. There isn't anything simpler than that.
1 person found this helpful
Although if you're using Flex / PHP, the Zend Framework will help you
overcome those situations because when using the Zend Framework you'll be
using Remote Objects.
Is ColdFusion a secure way for transferring passwords and other sensitive data as well?
All server technologies are insecure by "default", you need to do some
configuration there but CF make that easy for you, you could use SSL to
secure the channel, than use the cflogin framework, add role-based
permission to the ColdFusion CFCs and you're ready to go. But let's face it,
an app is never 100% secure.
I guess I can apply some of those same principles to using raw PHP?
Definitively the principles are the same, the how is the one that differs. If you're going the PHP way ZendPHP with RemoteObjects will be the most efficient way if you're developing an app from top to bottom.
1 person found this helpful
What build of Flex are you using?
1) When using HTTPS the GET URL would also be encrypted, but once decrypted on the server the URL might be logged so it's suggested to not use GET for transmitting credentials.
In 3.x, the default contentType is application/x-www-form-urlencoded - but what happens to your data depends on the type of the params passed into HTTPService.send(). Are you constructing a JSON request as a String?
BTW, did you try to set a contentType? I looked at the 3.x SDK source in SVN and the HTTPService contentType property still has metadata which provides code insight in the IDE but it also restricts the values of . When toString() is called on this XML node the root node is unwrapped and the empty string content returned. To avoid this toXMLString() can be called on the XML node to get the entire XML representation.
3) Load your SWF via HTTPS and use also HTTPS to send your credentials to the server and establish a session. If you tried to use a Basic Auth challenge you'd have to rely on the browser authentication dialog as you can no longer preauthenticate using an "Authorization" header as it is on the list of headers not allowed by flash.net.URLLoader. See the docs for URLRequestHeader used to configure headers with URLLoader:
As for how to send custom credentials... I think if you can solve your issue in 1) then the rest is up to what you want to do on the server. There should be lots of PHP login examples out there too. As a best practice try to delete / null out credentials variables when they're no longer in use on the client or server. Even though you're using HTTPS, consider additionally Base-64 encoding the credentials (for example, you could copy the format of the HTTPS Authorization header with a single "username:password" string) to obscure them in the event that a clear text version of the request is logged, or viewed in a debugger, etc.
Thanks Peter. Your answer is way over my head, but it seems you touch on some good points, so I'll do some additional research into the topics you mention.