by "key" i assume you mean your Codename Cirrus developer key, which you use to connect to the Cirrus servers.
if someone were to create a cheat version of, say, your game, they wouldn't need to use your developer key. any valid developer key allows access to any peers or groups connected to the service using any other developer key. anyone can obtain a developer key. since anyone can get one and they don't restrict the peer ID or group namespaces, there's no incentive to steal an existing one out of a SWF, so we decided not to add any other layer of authentication (like a shared secret or challenge), as that would be an unneccessary complication and just make using the service harder.
if you do want to conceal your developer key, you could use a secure channel to transmit it to your SWF, such as HTTPS after a username/password challenge (so only authorized/trusted users would be given it). of course, an authorized user could have a hacked SWF and could get the developer key out anyway. but that starts to be a lot of trouble for no reason. you can increase the technical hurdle even farther by using RTMPS to connect to a Flash Media Server, and use SWF Verification on FMS to ensure (with a high degree of confidence) that the SWF is the one you made and not a hacked one, and transmit the Cirrus developer key over the RTMPS channel only to verified SWFs.
I really didnot understand. What's the point of giving a key with around i think 30-40 mix of numbers and characters. I thought it's sort of secret, so that only those swfs working with that key can list it's respective users.
In that case it's possible that my swf may show thousands of users. Isn't it ? It's because anybody can build a similar application, and whoever connects it, would also be displayed in my application. And anybody can sabotage my swf thus, by making hundreds and hundreds of connections.
Is their no way to control the number of connections ?
if someone wanted to make it look like your developer key was using more resources than you (the real developer) really was, then yes they could do that if they obtained your developer key. however, other than causing you grief, there's no incentive to do so, since anyone can get a developer key.
there is no way to list the peer IDs that are connected to the service. the peer IDs can't be guessed (they're cryptographically pseudorandom). so even if another application was connected with a different developer key, it would still have to interact with your infrastructure to learn the peer IDs of anyone it wanted to interact with. if you only divulge peer IDs to authorized users, then only authorized users can connect to those peers.
there is no way to list the groups that peers using your developer key are using. group specifications can be made arbitrarily hard to guess. peers don't divulge group specifications to other group members or to the Cirrus service (the groupspecs are hashed on the wire as of Flash Player 10.2, even to the server). if you make the group specifications cryptographically infeasible to guess and only give them to authorized users, then only authorized users can join those groups.
ok, thanks for the explanation.
I think the existence of peer-id ,and group-specificaton is probably my answer. I will try to research more on it. Thanks again.
Ok, well today I created 2 different applications, with 2 different developer keys ( by making another adobe id ).
for app1 , my developer key was "abcxyz" (imaginary)
for app2, my developer key was "defxyz" (imaginary)
When i ran app1, it mentioned total users 1
and then when i ran app2, it mentioned total users 2
So, users running two "different" applications are able to see each other logged in
My logic is ( and my question too) , is it possible that i may see several other users in my list because somewhere in some part of the world, many other programmers might be trying to test the same way i am testing ? Afterall, everybody is trying to login on a common Adobe Cirrus Server .
( PS: Actually i asked my friend, who lives in another town, to create a dummy application with his own developer id and then asked him to login. But i couldnot get any additional user in my list . Anything,I am missing ?? )
i assume app1 and app2 are using/joining the same group, and you're reporting the number of neighbors and/or members of that group. as i mentioned, the developer keys don't form a namespace subdivision for peer IDs or group names/groupspecs. both of your apps know the groupspec.
if you want them to be separate, pick groupspecs that are different; ideally, cryptographically pseudorandomly different. and only give the groupspecs to your users who are authorized to join the group (for example, by transmitting it over HTTPS only with correct user credentials according to your application).