Securing .net web services for flex/flash/AIR applications

What would be the best way to secure .net web services used by a flex application (both desktop and browser) that requires login?

I thought about requesting the user and password in every method of the web service, and having them stored as variables in the flex app, but I don't f开发者_如何学Goeel like this is the most elegant way.

suggestions?

thanks

Well, the fast and easy way would present a few options.

1. On every call pass the username/password via a header, and make it common place to re-validate.

2. Go with a "session" type setup, have them login once, give them a secure token, and they pass that for the rest of the time.

Those are at least the "fastest" ways of doing this. You have other options as well, but they are not as straight forward. In all of my WS integration processes these are the two most common.

the data is not encrypted though?

http://msdn.microsoft.com/en-us/library/ff648643.aspx

Vulnerabilities

Vulnerabilities that can make parameter manipulation possible include:

Messages that are not digitally signed to provide tamperproofing
Messages that are not encrypted to provide privacy and tamperproofing

Countermeasures

You can use the following countermeasures to prevent parameter manipulation:

Digitally sign the message. The digital signature is used at the recipient end to verify that the message has not been tampered with while it was in transit.
Encrypt the message payload to provide privacy.