It's only Ryan's view. I think flex logins are perfectly fine, whether they are included in your main application or are a standalone application thrown at you when the server does not know you. I agree with you the user experience is way better that way.
Ryan's arguments make sense to me (browser auto-complete, cookie management where users expect it).
If it doesn't work for you, don't do it.
I'm not sure why you are upset about this article, it presents a view that under certain circumstances is preferred for some applications, especially when the client doesn't want unauthorised access to the application. I am aware of 2 banks a telco and a few insurance companies that specifically don't want ria's bypassing the existing corporate authentification methodology.
You don't win clients by forcing upon them your personal preferences, the beauty of flex is we can offer the client any combination they want.
The first question I ask clients that require authentication is whether they want it integrated or will they take care of it. When it comes to corporate/enterprise solutions its more common for applications/applets to be presented after login. As far as 'sessions' well if you are still stuck in the 90's go for it, Flex is not stateless it doesn't require the antiquated notion of maintaining state through 'sessions'.
No Adobe-Based app? so no illustrator, photoshop, dreamweaver in a design shop? good luck with that.
To clarify, I'm not uspet and I'm definitely not upset at Ryan himself. It's about the lack of good comprehensive tutorials on something that should be covered in depth. The only tutorial I could find that got close enough was from Mihai Corlan, but even that is a little outdated and needs lots of ironing.
As far as 'sessions' well if you are still stuck in the 90's go for it, Flex is not stateless it doesn't require the antiquated notion of maintaining state through 'sessions'.
David, Are you kidding. Sessions are the defacto standard for user authentication. You can even spot them in the first line of Ryan's own example.
$_SESSION['logged_in'] = false;
$_SESSION['username'] = ""
The point isn't about whether I love or hate flex. We love whatever technology benefits our bottom line. The point is about a feedback message to Adobe. They asked what to include in the "Evangelism Kit" and we gave them feedback, and as developers using the technology, we should give feedback whenever needed. A better way to push flex than the evangelism kit is to provide this topic in more detail. Everywhere I go there are unanswered questions on this topic. Since it's all about my bottom line, it takes me a lot less time to implement the whole thing in PHP and my clients wouldn't mind it either way.
We do our own authentication between Flex and the back end database system. It isn't terribly difficult, but there is no reasonable way for a generic front end to satisfy all the possible authentication mechanisms a backend system might require. So, you will pretty much have to 'roll your own', based on the requirements the back end imposes.
Well, I have to agree that traditional sessions are unnecessary with Flex. Since you have a 'stateful' client, they are not technically necessary. With PHP, most of the 'heavy lifting' is done on the server side, and a way to keep track of the 'state' of the client is needed. However, I do find it useful to simulate a session identifier, after the authentication process, so that full authentication isn't required with every request. This also reduces the authentication information exposure, since it is only exchanged during the initial exchange.
I don't use this to keep track of the client 'state' on the server, only to verify the request is from a previously authenticated client. The server is truly stateless, any information needed for the server to supply the correct information is included with the request from the Flex client.
Mark, Sessions are a server side thing. Nobody cares about the client now. Flex has its own internal states, so that can't be the question.
Hey David, great suggestion. And I agree, after looking, we need to do a better job of talking about how to do that in a traditional Flex application.
My article was meant as an FYI, and while I do believe that the fewer Flex/Flash login pages there are, the better (for purely selfish UX reasons, not security), it definitely looks like we should do a better job of talking about authentication and logging in with Flex/Flash.
So thanks for the suggestion. And for driving forum traffic to my blog