Secure Login for Flex/PHP Application
Posted: Thu Apr 08, 2010 6:12 am
Hi,
I'm currently developing an application using Flex and PHP. A very abstract description of how the application is built up:
The frontend is built with Adobe Flex and is accessed via a webbrowser using the flash player. It communicates with PHP using HTTP-Services. PHP is used to read and write informations to a MySQL database. The PHP processes partly require authorization with a username and password.
The Flex Application starts with a login box where the user enters username and password. The login data is sent to PHP using a HTTP Service, which transports the data via POST. The password is currently sent as MD5 hash. In PHP, the received login data is validated against a database table.
The authorization in PHP should only be done once (after the login box) to avoid sending username and password every time from the client to the remote server which does the PHP work. So I think the only way to keep the user "logged in" is writing a session variable.
Later, when the Flex application sends a command to PHP, then PHP tests, if the session variable exists. If the variable exists, the user is authorized and the command is executed. If the variable doesn't exist, he is not authorized and the command is not executed.
My question: Is this "secure"? Can this be optimized?
I thought about a concept using a "secure key": After the login-data is validated, a secure key is generated of, say, 100 random characters. This secure key is written to the session and sent back to the Flex App. Later, when the Flex App sends commands to the PHP server, it also sends the secure key. So PHP just needs to compare the secure key stored in the session with the key sent by Flex. If it's the same key, the user is authorized. Would that make it "more secure"?
Thanks for comments and hints!
I'm currently developing an application using Flex and PHP. A very abstract description of how the application is built up:
The frontend is built with Adobe Flex and is accessed via a webbrowser using the flash player. It communicates with PHP using HTTP-Services. PHP is used to read and write informations to a MySQL database. The PHP processes partly require authorization with a username and password.
The Flex Application starts with a login box where the user enters username and password. The login data is sent to PHP using a HTTP Service, which transports the data via POST. The password is currently sent as MD5 hash. In PHP, the received login data is validated against a database table.
The authorization in PHP should only be done once (after the login box) to avoid sending username and password every time from the client to the remote server which does the PHP work. So I think the only way to keep the user "logged in" is writing a session variable.
Later, when the Flex application sends a command to PHP, then PHP tests, if the session variable exists. If the variable exists, the user is authorized and the command is executed. If the variable doesn't exist, he is not authorized and the command is not executed.
My question: Is this "secure"? Can this be optimized?
I thought about a concept using a "secure key": After the login-data is validated, a secure key is generated of, say, 100 random characters. This secure key is written to the session and sent back to the Flex App. Later, when the Flex App sends commands to the PHP server, it also sends the secure key. So PHP just needs to compare the secure key stored in the session with the key sent by Flex. If it's the same key, the user is authorized. Would that make it "more secure"?
Thanks for comments and hints!