Key Transactions
Posted: Tue May 13, 2008 6:56 pm
Here's what I'm working with:
- A Flash GUI built using Adobe Flex Framework
- A PHP based API that returns requested data in XML format
Essentially what needs to happen is only authenticated people should be able to access the API. Here's the way I planned this:
Login details (username and password) would be sent to the API in order to be verified (/api/auth/?user=..&pass=...). If verified the API would return a key for future transactions. This key would then be logged into the database. When any more transactions are made the key is sent with that transaction and is checked against the database, and if valid, will return the appropriate data. This key will then expire after a certain amount of time.
My question is if this is secure? Essentially I plan for the Flash application to send the request, log the key, and then use it in any further transactions. Are there any large exploits I need to be aware of or any extra precautions I can take? I would like to secure this quite well because the data is a bit sensitive and this is for a rather large employer.
- A Flash GUI built using Adobe Flex Framework
- A PHP based API that returns requested data in XML format
Essentially what needs to happen is only authenticated people should be able to access the API. Here's the way I planned this:
Login details (username and password) would be sent to the API in order to be verified (/api/auth/?user=..&pass=...). If verified the API would return a key for future transactions. This key would then be logged into the database. When any more transactions are made the key is sent with that transaction and is checked against the database, and if valid, will return the appropriate data. This key will then expire after a certain amount of time.
My question is if this is secure? Essentially I plan for the Flash application to send the request, log the key, and then use it in any further transactions. Are there any large exploits I need to be aware of or any extra precautions I can take? I would like to secure this quite well because the data is a bit sensitive and this is for a rather large employer.