I'm a newbie converting a cfm site to flex and have a
question regarding the security implications of managing state on
the client.
In my cfm site I set a SESSION.variable for "isSignedIn"
which CF server stores and (via CFToken cookie accompanying
subsequent page requests) associates with say OwnerID=17. Thus the
client machine does not ever receive OwnerID=17.
However, a flex app using <mx:RemoteObject> changes
state upon successful signIn -- but how does the CF server know
that subsequent data requests from that app are for OwnerID=17
unless OwnerID=17 is stored on the client machine and accompanies
every "message"?
I've researched fairly extensively and figure that IF (I'm
not sure) <mx:RemoteObject> establishes a "constant" (until
signed out) pipe/channel to the CF server then the "header"
OwnerID=17 is not necessary -- but I'm not sure if this is so or if
<mx:RemoteObject> is NOT a "constant" channel but only a when
called message out & return structure a la HTTP.
And if it is a constant channel, what are the performance
implications on the CF server of this (seems it would be a drain of
resources). Presumably as well, the "constant" channel could only
be closed by the client (there not seeming to be any
SESSION.variable like settings???)
I realize there are encryption protections available both for
storage on the client and for in transit data packets but am I
correct in asserting that sending OwnerID=17 down to the client at
any time is a security risk (ie. motivating the duplication of a
GUID based stored object -- aka SESSION variable -- analogy for my
application)?
Thanks in advance for all comments and feedback.
