Here's what I'm working with:
- A Flash GUI built using Adobe Flex Framework
- A PHP based API that returns requested data in XML format
Essentially what needs to happen is only authenticated people should be able to access the API. Here's the way I planned this:
Login details (username and password) would be sent to the API in order to be verified (/api/auth/?user=..&pass=...). If verified the API would return a key for future transactions. This key would then be logged into the database. When any more transactions are made the key is sent with that transaction and is checked against the database, and if valid, will return the appropriate data. This key will then expire after a certain amount of time.
My question is if this is secure? Essentially I plan for the Flash application to send the request, log the key, and then use it in any further transactions. Are there any large exploits I need to be aware of or any extra precautions I can take? I would like to secure this quite well because the data is a bit sensitive and this is for a rather large employer.
Key Transactions
Moderator: General Moderators
Re: Key Transactions
You are describing PHP sessions with a cookie-based SID here, and you'll have more or less the same security concerns:
1. Don't leak the key (both on the server and on the client side)
2. Don't make the key predictable (strong random)
3. I'm not sure how Flash handles it's persistent storage (I don't even remember how it's called), but do check if there are known attacks on that.
(4. I can't imagine how an equivalent of the session fixation attack can be done with Flash -- I know very little about Flash, just basic give-me-eternal-lifes hacks -- but I suggest you make a research into it just in case)
1. Don't leak the key (both on the server and on the client side)
2. Don't make the key predictable (strong random)
3. I'm not sure how Flash handles it's persistent storage (I don't even remember how it's called), but do check if there are known attacks on that.
(4. I can't imagine how an equivalent of the session fixation attack can be done with Flash -- I know very little about Flash, just basic give-me-eternal-lifes hacks -- but I suggest you make a research into it just in case)