FLEX + AMFPHP User Authentication
I am trying to create a fairly simple User Authentification system using FLEX and AMFPHP, but I have a question about security.
Most examples I see send plain text usernames/passwords to a php file, which encrypts them, and sends them on to the database to either be checked or saved... am I missing something or is sending your username/password in plaintext a chance for a hacker to incercept the call and extract the in开发者_开发问答formation from your request? Would the request from FLEX be interceptable? or is it done serverside "behind closed doors"?
Yes you're right. Hash the password on the client and sends it to the server after that.
Alternatively, you could just force an HTTPS connection for your login page. That way, the password will be encrypted on the wire to the PHP server, but still available in plaintext to PHP so it can manage the hashing.
You can hash the password on the client and sends it to the server, but you must be aware that there are persons who can find out your hashing algorithm on client. If you try to foul a novice the hashing thing might work. But if you consider that the hacker is not some rookie, I think you should not even bother with the hash and use directly HTTPS.
Loading another swf nested in the previous do not resolve your problem. The browsers no not protect efficiently the files cached in the memory, and the hacker still can find the file you try to hide.
精彩评论