I have a html pages in which user is logged onin one page he can use swf movies but that movies need to know which user it isso I need to pass vars to swf (username), but that can be problembecause anyone could open swf with submitting username to swfso I need somehow secure user var pass to swf at startif
View 4 RepliesI have an AIR app in AS3 that connects to an online database, checks the login details for the user account, and logs in if all is good. Once logged in, the user can update database info, plus overwrite files in their user directory. So far it's working fine.
Problem is, I've only got it set up to send the raw login data. Once the php receieves it, it's hashed to check the hashed version in the database, but is there a way to hash and then unhash a password sent from an AIR app? Or a way to use https?
Also, regarding sessions, if you have a seesion in a browser, the session closes automatically when the browser closes, right? So how do you make a session close that you've opened via an Air app? I guess you could trigger a close from certain actions within the app, + when the app closes, but say the app crashes, or the computer crashes - will your session still be floating around out there open?
I was wondering what the best route to take for making a login. The idea is to have the user login with their username and pass on frame 1. If the username and pass exist in the MySQL database then the user will be moved to frame 2. What would be the best way of achieving this? I know AMFPHP is old and I have heard to use ZENDAMF instead, but it seems that any recommendations are 2+ years old when I searched Google.
View 1 Repliesi recently had a look to the tutorial for custom authentication within a flex application. The login is managed by getting the ChannelSet from a RemoteObject:
private function creationCompleteHandler():void {
if (cs == null)
cs = ServerConfig.getChannelSet(remoteObject.destination);
[Code]....
After that the channlset can be used with the login command of ChannelSet. How can i insure that this is using a secure connection? I know that there is a amf channel and a secure amf channel. But how to tell to provide the credentials in a secure connection?
I'm trying to build a secure login area on a Flash-AS3 website. I've managed to create the login form and pass data to a PHP script which checks them.
1) I know that in PHP I can echo some infos that can be get from AS3. In this case I suppose to echo something like "success" or "failed" to give an answer to the login attempt. Is this way of communication secure? Can anybody sniff this content and force AS3 to behave like if login was successful?
2) Suppose that PHP-AS3 communication has been secured. What should I do now? May I simply show admin pages hidden before? Is it the correct way? Is it secure?
I am trying to write a secure login using flash. I worked out that the login must be separate from the protected content otherwise a decompiler will get round it very quickly. At the moment I have a login swf that posts variables to a server side script which then creates a session for a valid user.
The idea is to then forward on to the protected content. However I am unsure how to pass the users info to the swf so a user could not modify before the swf gets it and thus see another members content or what I can do to stop someone just accessing the content directly by just knowing the swf file's location.
I'm trying to build a secure login area on a Flash-AS3 website. I've managed to create the login form and pass data to a PHP script which checks them. Now I've got some questions.
1) I know that in PHP I can echo some infos that can be get from AS3. In this case I suppose to echo something like "success" or "failed" to give an answer to the login attempt. Is this way of communication secure? Can anybody sniff this content and force AS3 to behave like if login was successful?
2) Suppose that PHP-AS3 communication has been secured. What should I do now? May I simply show admin pages hidden before? Is it the correct way? Is it secure?
I would like to create a secure login section for a website. I have managed to build up an AS3-PHP communication where PHP checks user credentials. I am already providing data enchryption between AS3 and PHP but I would like to add some further security. Is it possible to implement a HTTPS login section?
View 5 RepliesWe are planning a desktop client application with Adobe AIR. The client app will be delivered to our customers with a database, which contains monthly updated marketing data provided by our company. As different customers will buy different sets of data from us, for example, a customer is only interested in marketing data in a specific product category, while another customer need all data in a certain region. After a customer installs this client app, new data will be emailed to the customer every month.
So, the requirement is to keep the data accessible only by the customer who bought it. After reading through AIR's secure local store and database encryption feature, I came up with the following design: each customer will have his own secret key (stored in AIR's secure local store), the secret key is used to encrypt the data that the customer has purchased. Of course, the monthly data that we sent to the customer will be encrypted using the same secret key. So my questions are: is AIR's database encryption and secure local store secure enough for this use case? If someone gets the encrypted database file, can he decrypt the DB?
I have a need to build a flash login page. No big deal, but I need to have six seperate login accounts. For example:
Username: user1 Password: pass = link to [URL]
Username: user2 Password: pass = link to [URL]
Username: user3 Password: pass = link to [URL]
and so on for up to six users.
Again the usernames and passwords would not change, but need to redirect the particular user to a certain page.
stop();
var user_input = "";
var pass_input = "";
login_button.onRelease = function(){
if(user_input == "user1"
&& pass_input == "pass"){
getURL([URL], "GET");
}else{
gotoAndStop (3);
}}
how could i make a login form for people to use to login to a certain area?? like for instance on this website [url]..... at the bottom he has a client login form....how could i do that?
View 4 RepliesI have to make connection to the DB and Insert a row based on the data that the SWF sent me...I will need to make it so that the SWF->PHP part is secure by not letting users tamper with data.I don't want to use SSL because its not a suitable solution... what other method is available?
View 4 RepliesI have an SWF that communicates with a PHP file and ultimately the DB. The PHP checks whether the User has the appropriate Password etc. and if it is accepted, the actions the person performed on the SWF (game) are used to compete with other Players of the game.
send altered data or actions that are illegal in the game with their submition? To clarify: If a character in the game can only move 1 square at a time, can an evil evil hacker/decompiler (who is a Player in the game) tell the SWF to tell the PHP file that his/her character moves 3 squares at a time?
I'm just want a sense that things will be somewhat secure. There isn't any sensitive information in the SWF besides the location of the PHP file on the net.
Geting non secure content message
View 5 RepliesWe have a swf file that we want to secure and make available only to authorized users.
I embedded the file in an aspx page and that works fine, since ASP.NET handles the aspx page, I can use ASP.NET authorization features and in the web.config restrict the access to roles="AllowedUsers" for example.
However smart users could still get to the file by accessing directly for example www.mysite/flash.swf. We want to make that kind of access secure.
I have a flex application, running with amfphp and connected to wamp, I want to use a secure connection using ssl, but my whole application is running from the same swf file, would using ssl in that case mean that all the data, being sent and received between the server and client ,encrypted? Because this is not what I'm trying to do, I only want to encrypt the sign up and sign in data.
please note that, I have log-in bar which is visible the whole time as long as the user is not signed in.in other words, I only want to secure some of the data being transferred not every thing.
I have installed Flash Media Server on our server. When I load up the application home page, I see the demo video of a train.
Then I click on the "Interactive" tab on the right hand side. I was SHOCKED to see that I can create a live stream from my local camera without any credentials at all. Anyone who visits this webpage can publish a live video stream on our Flash Media Server?
I have a SWF hosted on a https enabled domain and amfphp installation on the same domain. Now when i let user embed the swf on his on http page, i intend to send some data to amfphp without user seeing it. However i see that firefox with firebug plugin catches the post data easily. How is this happening ? Adobe documents say that if a swf is hosted in https and destination is also under https, its suppose to be secure?
View 4 Replieshow to make secure SWF files, so that decompilers like sothink won't be able to decompile these swf files at all. i have been assigned some research work to find out the stuff to make swf files highly secured
View 1 RepliesI'm working on a desktop application that uses API keys for Twitter but AFAIK, AIR applicatioons are easy to decompile. I want the processing of the API requests to be client-side, not server-sided. At most, I want to keep the dependency onto the server to as low as possible.
What I'm thinking is sending the API from the server to the AIR app on the first run. I've already seen Shared secret with API in an Ajax Adobe AIR app but my question is a bit different in that, I want to know how secure ELS is?
How does Adobe work it's way to storing stuff into the ELS? Does it go through multiple encryption sessions before finally getting stored somewhere on the computer?
I have a Flash app that makes periodic calls (using URLRequest and URLLoader) to the same server that hosts it, to check if the current session has expired or not.The problem with this is a man in the middle can spoof a valid response.Is there a generally accepted way to validate a response?Would using 'https' in URLRequest(url) invoke https protocol, would that be sufficient? I'm not a security expert, but would that check if the site is who they say they are, just like the browser?
View 0 RepliesThere's a common strategy for posting to a database where a serverside page is called, passing it querystring data, in order to add entries to a database.
This is not secure though, anyone can decompile the .swf and hack the database by calling the serverside page with their own info. Does anyone know of a secure strategy that does not rely on obfuscation?
I'm building a flash-game-site for a while. The big trouble is Secure Score Submitting System .I search on the net and find some ineffective techniques:
-Secret word method: there is an secret word (crypto pass) on the server and flash gets it from server and uses for crypting score data then sends it to server. But the algoritm that does the crypto job, can be accesible with a swf decompiler. Also getting the secret word from server outside of flash is simple. Not safe!
-HTTP_REFERER method: php (or what else) check HTTP_REFERER data to determine where the post coming from. But with a simply firefox extensions, the referer header can be changed. Not safe!
That is my own idea but can only make cracking harder, not more:
-We can get flash vars with js (:swliveconnect) and send to server. Flash just make a fake submit that makes no effect. Just a trick. But not safe
I want to secure and to load two SWFs files from the same domain, does anyone have any examples and methods applying with allowDomain() that can be used to allow the SWFs to communicate and share data and functions.
ex: www.example.com
main.swf
about.swf (child)
contact.swf (child)
...
Most articles that I found it's based on cross-domain which is not what I want.
I'm working on a project (a game) that will run inside a container which is a separate swf. The purpose of this container is to be a sort of landing/end page for future games that's standardized.
For example: container.swf is embedded directly in the HTML page, and is given a flash var with the location of the game (game.swf).
-container.swf loads in game.swf as a child MovieClip
-At the end of gameplay, game.swf dispatched an Event containing the score and other pertinent game information
-container.swf has eventListeners that activate when game.swf dispatches those events, and stores the score given from the game.swf onto separate servers (in a db of some sort)
Now, we have a security option set up to keep the data from being tampered with as it travels from container.swf over to the database (as it is travelling over HTTP, which is easily intercepted, so a hash is included to verify the delivered contents)
My partner also believes that a similar hash-verification systems needs to be in place for the communications between game.swf and container.swf. However, I was under the impression that, since those communications don't travel over HTTP (and rather travel through the Flash player virtual machine type thing),adding such security is unnecessary (and retrofitting container.swf would be a non-trivial task).
So, which of us is correct? Is inter-swf communication (via eventListeners) inherently secure (since that would require lightning fast hacking in order to intercept the data...nanoseconds at best)? Or is adding another layer of security actually useful?
1) I'm trying to create a Flash Login Form but I guess its working with ASP or PHP. Can I make Flash to check usernames from any local mdb? As long as project doesn't require internet connection, excel or sqlite will be enough for me.
2) This question is related to first question. If I cant use a mdb file it seems I'll need to embed all those 5.000 users in flash project, am I correct? Also projects SWF file is 50mb. It will work from CD source, would that cause any problem? I've made it all in one SWF file for security
i am working on creating a custom application for FMS 3.0 that calls a webservice to validate the user coming in. I have tested the following sample code from the Server-Side ActionScript Language Ref. (See below) The URL has been changed to protect the innocent.
This codes seems to work fine when going to an unsecured site but the innvocation of the service never seems to go out when attempting it over SSL. The Server documentation says that outgoing calls like this should work over SSL. Is this true? If so what do I need to do to get it to work?
[Code]...
After installing FMS 3.5.1, anybody can use my server for live enconding. How can I configure the server to authorise live encoding only from subdomain 1234.4567 or by a password?
View 3 RepliesWe just found out someone is bouncing a pirated feed off our FMIS 3.5.2 server. after months of not having to look at this thing (and not remembering crap about parts of the setup), I'm trying to discover a few things.
First is, how do we tell FMIS which vhost allows live encoding? Second, as I look at the logs and logger.xml, I'm trying to tell how to force it to show the ip's of inbound/outbound traffic. Think I'm doing the right things to the file, but the log for the application/entry point the pirate is using doesn't show what I believe I configured to be the fields that should show up in the log. Finally, trying to figure out how to force authentication of media encoders talking to the server. I'm scanning the online help docs, etc. trying to remember all this stuff.... but if anyone can say "look at this page in the pdf, and this page in the online" to affect what I need to do to lock this up quick,
What's the best way to secure a Flex-BlazeDS application? I've googled it an several solutions came up.UPDATE after question from jsight:Flex would login, so on the RemoteObject I'll set Credentials I don't know if there comes authentication and authorization with BlazeDS (WebORB for instance does and WebORB looked at BlazeDS for their product) SSL not needed 've seen some links on the internet talking about spring security, so I'll check that out.
View 1 Replies