This content has been marked as final. Show 7 replies
In your PHP file you could make it only allow the IP of the server the Flex app is on (if it is a dedicated IP meaning that it doesn't change) or you could create an additional string (token) that the Flex app sends to the PHP file showing that it is the app, and in the PHP file if the token is sent and is correct run the script otherwise do nothing except maybe echo out an error message. The only way someone would get through to the script is to know your token.
The idea of restricting the src IP in the PHP files may be an idea and I'll investigate it. I'm not sure about adding a token as anyone running the Flex app could watch the POSTs or GETs and get the "token" that allows access.
Any one else have any good ideas? I think that a lot of people would find this useful.
These are just some off the top ideas, you can extrapolate and create a solution that might work:
Since the client has access to the data stream to/from the server, there is no way to guarantee that someone won't use some kind of sniffer program to find what file the flex app is talking to, but that doesn't mean that you can't obfuscate it as much as possible to make it not worth trying.
One idea was to use a single index and use _GET to control what content is being served, using includes on the php side to serve the proper file/content.
Since the content you are delivering I would assume requires authentication, you'll have a unique session ID to work in. While the actual php file could be accessed in real time if you watched the data stream, if the user is already authenticated, what diff does it make? Set up specific rules inside your php file, so that it must receive data using a specific protocol, one that you can obfuscate using crypt and base it on variables that are unique, such as SSID + date + time, etc. When you first authenticate with the server from the flex app, have the php login script return the required protocol rules back to the flex app that would be unique to the session. The _SESSION variables on the server would contain the unique protocol rules as well. This gives you server side control over talking to the flex app... then all you would need to do, if you wanted to keep a tighter lid on the access to your script, is just rotate the protocol from time to time.
Add on top of this, script name obfuscation that you store server side and transfer only withing the validated session, such as e.g. fstrs4adadst4_somefile.php etc etc, where your randomized key is the prefix (or suffix whichever you prefer) of your index. Your code of course would use the current protocol keys to match the current index, and all you need do is control the .htaccess file so that it relays any $_somefile.php to the proper file/directory etc which would be a name that would never be revealed to the public, and only used inside your .htaccess file or on the server side itself.
Taking it a step further, if you create some kind of pulsing authentication system using the above methods, you can rotate the keys fast enough, so that someone would have to work really hard to figure out the protocol to talk to your server
Just my 2 cents...
RFX - I appreciate the ideas. I am sure it will work, but I think it may be too complex for me to figure out.... I'm not really a full time programmer. I wonder if there's a simpler way? It doesn't have to be too extreme, I'd just prefer to only allow the app to call the PHP pages.
Sandersky - The more I think about your IP idea, which would be nice, I'm not sure it will work. When the client launches the flex app any calls the flex app makes to PHP files on the server come as a client request from the client itself, not the server. So restricting it to the server IP could be an issue.
Any other thoughts?
I too am dubious of the IP restriction idea since the referencing IP address will never be the same. Flex runs on the client machine and thus uses the client's IP address, so that isn't really an option.
I don't know PHP, but is there a _referencingFile option, like a way to find what application name submitted the request? If so, only allow for responses to whatever your flex app is called. That too could be faked, but it is something.
you can restrict only apache to access the files, that will be the easiest way(assuming you are serving php files with apache) it can be done through .htaccess,and istead of specifying box ip address you specify localhost and 127.0.0 etc.
I have flash mp3 player that can read directory of mp3 files but if anyone tries to access that location directly they get denied.
Can you provide an example of what you're talking about? I guess the part that I'm not seeing how it would work is restricting the IP or only allowing Apache. When you launch the Flex app, the call to the swf files are from the client not the server. And all the subsequent calls for HTTPService requests to POST data to grab info from a PHP file is from the client, not the server. So the src IP will always change.
Am I missing something?
Again - Thanks to all who are responding and trying to help me solve this.