Key Transactions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
aliasxneo
Forum Contributor
Posts: 136
Joined: Thu Aug 31, 2006 12:01 am

Key Transactions

Post by aliasxneo »

Here's what I'm working with:

- A Flash GUI built using Adobe Flex Framework
- A PHP based API that returns requested data in XML format

Essentially what needs to happen is only authenticated people should be able to access the API. Here's the way I planned this:

Login details (username and password) would be sent to the API in order to be verified (/api/auth/?user=..&pass=...). If verified the API would return a key for future transactions. This key would then be logged into the database. When any more transactions are made the key is sent with that transaction and is checked against the database, and if valid, will return the appropriate data. This key will then expire after a certain amount of time.

My question is if this is secure? Essentially I plan for the Flash application to send the request, log the key, and then use it in any further transactions. Are there any large exploits I need to be aware of or any extra precautions I can take? I would like to secure this quite well because the data is a bit sensitive and this is for a rather large employer.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Key Transactions

Post by Mordred »

You are describing PHP sessions with a cookie-based SID here, and you'll have more or less the same security concerns:
1. Don't leak the key (both on the server and on the client side)
2. Don't make the key predictable (strong random)
3. I'm not sure how Flash handles it's persistent storage (I don't even remember how it's called), but do check if there are known attacks on that.
(4. I can't imagine how an equivalent of the session fixation attack can be done with Flash -- I know very little about Flash, just basic give-me-eternal-lifes hacks -- but I suggest you make a research into it just in case)
Post Reply