Posting in addition to my previous two posts in this board.... Can I take that script that I created and make it so that it is embeded inside of a flash file.... I know that creates many problems for the user if they don't have flash so I will have to do a dection.... But can it work that way?

If so, could someone help me out a little......

Once again though you are trusting the client. Never, ever trust the client to do your authentication. The client is out of your control and could be hacked without you knowing it.

Let's back up. What are you really trying to do - just have a login area to a private URL? You server is running:

Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_fastcgi/2.2.10 mod_jk/1.2.0 mod_perl/1.24_01 PHP/4.3.0 FrontPage/5.0.2 mod_ssl/2.8.12 OpenSSL/0.9.6b

so you've got Java/JSP's (mod_jk), CGI's, Perl (mod_perl), and PHP (mod_php) as server side programming interfaces. Additionally, as it is Apache you could just do a simple basic authentication mechanism (see http://httpd.apache.org/docs/howto/auth.html for how to set that up).

Server side security is the only way you'll get close to "unbreakable".


Posting in addition to my previous two posts in this board.... Can I take that script that I created and make it so that it is embeded inside of a flash file.... I know that creates many problems for the user if they don't have flash so I will have to do a dection.... But can it work that way?

If so, could someone help me out a little......

I know how to use .htaccess but I don't want that stupid pop-up thing... I want it on my site.... Understand what I'm getting at... If it's in flash... how can they hack it? I don't understand....

Flash will make it slightly more difficult to break. It all boils down to how important the information is. From the server's perspective it has to trust that the client has gone through the correct process.

Let's say you have the best flash based login thing on the planet. It is encrypted and is totally secure. What is it going to do? It's going to take a user name and a password, do some magic with them, and, if the credentials are correct, allow the browser access to a URL. All I have to do is find that URL in your flash code. Sure, it's binary but that doesn't stop a hex editor. Additionally, once one person is in they have a clear URL to send out to all of their friends - none of whom have to use your flash login module. Again, the server just blindly trusts that the client has taken care of security.

If it is ok that some of the content that you are serving is easily available to a minimally determined and nominally skilled hacker then that is your call. Your Javascript solution worked for some people, right?

I sense that you're just dying for the browser side solution. I wish you well. Remember that two people on a really, really slow forum broke your Javascript solution in about 10 minutes. If your server blindly trusts the client then it will happen again - I guarantee it.

Lastly, you do not have to use basic auth with the popup. A very simple login example would be that you present an HTML page with a user name and password. This is POST'ed to a JSP/CGI/PHP script on the server. The server determines that the user name and password is valid and sets a cookie that is just "loggedin=true" or some such. Then on each request the server checks to see if that cookie exists. If it doesn't then it does not allow access.

In real life, of course, it's not quite that simple. Cookies can be faked which is why real servers have cookies that are difficult to predict. Look in your browser right now for a cookie from www.programmingtalk.com named sessionhash. It is a large hex number that is very difficult to predict.



I know how to use .htaccess but I don't want that stupid pop-up thing... I want it on my site.... Understand what I'm getting at... If it's in flash... how can they hack it? I don't understand....

i will listen to stdunbar.