First off, if there is a true, official way of having flash/flex's NetConnection
s usurp the session/cookie state of the surrounding web page, so that if the user has already logged in, they don't need to provide credentials again just to set up an AMF connection, please stop me now and post the official answer.
Barring that, I'm assuming there is not, as I have searched and it seems to not exist. I've concocted a means of doing this, but want some feedback as to whether it is secure.
- Accessing a wrapper-page for a flash object will always go to secure https due to django middleware
- When the page view is loaded in Django, it creates a "session alias" object with a unique key that points to the current session in play (in which someone ostensibly logged in)
- That session alias model is saved, and that key is placed into a cookie whose key is another random string, call it randomcookie
- That randomcookie key name is passed as a context variable and written into the html as a flashvar to the swf
- The swf is also loaded only via https
- The flash application uses
ExternalInterface
to call java to grab the value at that randomcookie location, and also deletes the cookie - It then creates a
NetConnection
to a secure server https location, passing that randomcookie as an argument (data, not in the url) to a login-using-cookie rpc - At the gateway side, pyamf looks up the session alias and gets the session it points to, and logs in the user based on that (and deletes the alias, so it can't be reused)
- (And the gateway request could also set the session cookie and session.session_key to the known session ID, but I could let it make a whole new session key... I'm assuming that doing so should affect the response properly so that it contains the correct session key)
- At this point, the returned cookie values on the flash side should stick to the
NetConnection
so that further calls are authenticated (if a connection is authenticated using username and password the normal way, this definitely works, so I think this is a safe bet, testing will soon prove or disprove this)
So, is this unsafe, or will this work properly? As far as I know, since the html page is guaranteed to be over ssl, the key and cookie data should be encrypted and not steal-able. Then, the info therein should be safe to use one-time as basically a temporary password, sent again over ssl because the gateway is also https. After that, it's using the normal pyAMF system over https and not doing anything out of the ordinary.
No responses on this so far, so the best I can do is confirm that it does in fact physically work. For details on how to set up Flex Builder to write html-wrappers that communicate with Django pages templates, see my other post. The above was accomplished using a combination of the aforementioned, plus:
Made a
SessionAlias
model:Flex points to a Django page that loads via a view containing:
In the flex html-wrapper, where randomcookie is the location to look for the alias:
In
applicationComplete
, where we get randomcookie and find the alias, and log on using that:Which in turn access this pyamf gateway rpc:
And at that point, on the flash/flex side, that particular
mynetconnection
retains the session cookie state that can make future calls such that, inside the gateway,request.user
is the properly-authenticated user that logged onto the webpage in the first place.Note again that the run/debug settings for flex must use https, as well as the gateway settings for
NetConnection
. And when releasing this, I have to make sure that authenticated users stay on https.Any further info from people would be appreciated, especially if there's real feedback on the security aspects of this...