Expand my Community achievements bar.

Join us in celebrating the outstanding achievement of our AEM Community Member of the Year!
SOLVED

Flex RemoteObject to CF8 security&channel

Avatar

Level 2
I'm a newbie converting a cfm site to flex and have a
question regarding the security implications of managing state on
the client.



In my cfm site I set a SESSION.variable for "isSignedIn"
which CF server stores and (via CFToken cookie accompanying
subsequent page requests) associates with say OwnerID=17. Thus the
client machine does not ever receive OwnerID=17.



However, a flex app using <mx:RemoteObject> changes
state upon successful signIn -- but how does the CF server know
that subsequent data requests from that app are for OwnerID=17
unless OwnerID=17 is stored on the client machine and accompanies
every "message"?



I've researched fairly extensively and figure that IF (I'm
not sure) <mx:RemoteObject> establishes a "constant" (until
signed out) pipe/channel to the CF server then the "header"
OwnerID=17 is not necessary -- but I'm not sure if this is so or if
<mx:RemoteObject> is NOT a "constant" channel but only a when
called message out & return structure a la HTTP.



And if it is a constant channel, what are the performance
implications on the CF server of this (seems it would be a drain of
resources). Presumably as well, the "constant" channel could only
be closed by the client (there not seeming to be any
SESSION.variable like settings???)



I realize there are encryption protections available both for
storage on the client and for in transit data packets but am I
correct in asserting that sending OwnerID=17 down to the client at
any time is a security risk (ie. motivating the duplication of a
GUID based stored object -- aka SESSION variable -- analogy for my
application)?



Thanks in advance for all comments and feedback.
1 Accepted Solution

Avatar

Correct answer by
Level 2
For others who may be reading this thread (and to express
thanks/credit where appropriate, the following was provided by the
ColdFusion guru himself:



benforta: you can use the same thing, if you set a SESSION on
the CF server and the id and token will get set, as RemoteObject
uses HTTP



benforta: But, generally, most session stuff in a CF/Flex app
belongs on the client, with the exception of actual logged in state



me: so if RemoteObject uses HTTP is it correct to say 1) the
connection is not a constant channel and 2) the CFID, CFToken
cookie "header" should be attached to every RemoteObject
communication?



benforta: correct



benforta: AMF is client initiated over HTTP via the browser



me: and this CFID,CFToken "header" accompanying every AMF
message is that set by the cookie installed into the browser by
(say) the index.cfm page which loaded the flex app (ie and NOT a
second CFID,CFToken allocation assigned by CF to the flex app as
say a flex stored object)?



benforta: correct, any cookies shoudl get sent back by the
browser with any HTTP request, and an AMF request is an HTTP
request



benforta: So long as it is the same domain (and path if
appropriate), same rules as any browser conten



me: Have you any idea how this would translate to an AIR app?




benforta: whole different animal there, requests are not
originating in a browser, will be trickier

View solution in original post

3 Replies

Avatar

Correct answer by
Level 2
For others who may be reading this thread (and to express
thanks/credit where appropriate, the following was provided by the
ColdFusion guru himself:



benforta: you can use the same thing, if you set a SESSION on
the CF server and the id and token will get set, as RemoteObject
uses HTTP



benforta: But, generally, most session stuff in a CF/Flex app
belongs on the client, with the exception of actual logged in state



me: so if RemoteObject uses HTTP is it correct to say 1) the
connection is not a constant channel and 2) the CFID, CFToken
cookie "header" should be attached to every RemoteObject
communication?



benforta: correct



benforta: AMF is client initiated over HTTP via the browser



me: and this CFID,CFToken "header" accompanying every AMF
message is that set by the cookie installed into the browser by
(say) the index.cfm page which loaded the flex app (ie and NOT a
second CFID,CFToken allocation assigned by CF to the flex app as
say a flex stored object)?



benforta: correct, any cookies shoudl get sent back by the
browser with any HTTP request, and an AMF request is an HTTP
request



benforta: So long as it is the same domain (and path if
appropriate), same rules as any browser conten



me: Have you any idea how this would translate to an AIR app?




benforta: whole different animal there, requests are not
originating in a browser, will be trickier