 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers |
Webmaster Forum / ColdFusion / Flash Integration / June 2008Protecting remote CFCs from unauthorized access
Now that I'm working with Flex I've discovered that I no longer have session variables to maintain access to a site. How do I protect my Coldfusion CFC's from unauthorized access? I'm working on a site that requires user authentication. While the actual user authentication in flex is easy, this doesn't protect my Coldfusion CFCs from someone that knows how to hook up directly to my site which would bypass the interface security. I'm also coding an Adobe Air application to go along with the website. TIA. That's a good question... Anyone has an awnser ? Etienne Have you investigated the CFC username/password properties? Have you investigated session use with flex applications? I understand they are still possible, just not as intuitive as with an HTML application. One of my task involved publishing a secured web service to be consumed by any client/platform. Best and secured way, and you'll agree that this is what Amazon and Google use as well, is that you assign every client an application-id and security-key. And here's how client should make requests: 1. SoapHeaders or HTTP_Cookie is sent with every request. Information it will contain is an encryted text (token) and client id. Header or cookie will appear something like this: applicationid=3456&token=wJDKD93o34%^&*$2de4390 2. Encrytion is done by the client using the security-key provided by the server. Text which is encrypted must contain datetime. Example normal text could be: myMethod\20080612 3. The security-key itself is never transferred over the network 4. At the server side, the token header value is decrypted using the key for that applicationid (pick it up from the server.) 5. Server checks If after decryotion of token the datetime is in proper format and methodName in same as the method called. And if this is true, client is authenticated. In simple words, go on encryting any client variable before sending to the server. If server can decrypt it and finds expected string, respond or else throw security error. Why you must also allow access using HTTP_COOKIE is that you dont want to write your own WSDL files. ColdFusion can not generate a WSDL which can tell consumers what SoapHeaders your service is expecting. Not allowing cookies based authentication will eventually lead to a situation where .NET developers wont be able to consume your service. Its impossible for most .NET pros to write a code to send custom soap headers - there is so much dependency on VS Studio web service code stubs. Sam Adobe Certified Flash and Adv. ColdFusion Developer http://www.samunplugged.com mumbai users, join other mumbai cf enthsiasts: http://in.groups.yahoo.com/group/cfexpress/ |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.