1 Reply Latest reply on Jul 18, 2011 4:35 AM by Altarakron

    BlazeDS FlexContext FlexClient ID Security

    Altarakron

      I need to find out if the identifier returned by the function call FlexContext.getFlexClient().getId(); is a secure identifier, as I understand it, each Flash/Flex Client (Player) is assigned the Client ID upon first connection (tested this from the same browser in different tabs and a different Client ID is give to each player).

       

      I have also been told that this Client ID may or may not be directly related to the IP Address and the MAC Address of the pc that originally connected to the server.

       

       

      The use case for this is the following...

       

      The User enters login details into a login form.

       

      Those login details are passed through a SecureAMF Channel (over https) to the BlazeDS server.

       

      The details are verified against the database, and upon successful authentication, is assigned a session token.

       

      The session token is not delivered back to the flex client, but instead if held server side.

       

      What we then do is upon receiving any function calls from the flex client, we get the FlexContext.getFlexClient().getId(); unique client id, and lookup this identifier to see if there is a session token associated with it, if there is than the server knows that the user is authenticated, after that the server does permission checks to see if the user has access rights to use that particular function call.

       

       

      Now this whole process only works if the Client ID is absolutely secure that there is no way possible to spoof or steal the ID in anyway and use that from another flex client.  Unfortionetly, I have not had any success whatsoever searching the internet to obtain any information related to the client id and how its generated.

       

       

      The other alternative, which is a slightly unappealing alternative, would be to pass the session token from the flex client to the BlazeDS server, on every remoteObject function call.  Although I believe its possible to store the session token in the FlexContext itself, but again there is no documentation on the security of these solutions.

       

       

      If anyone has any knowledge at all about this I would be very grateful.

       

      Is the Client ID delivered to the Flex Client (Flash Player or Air App) through a secure HTTPS or encrypted channel so that no one can possibly steal the id?