If you run your own server or even just use a shared hosting account
for your Flashcom applications then you should be aware of the fact
that anyone who can guess or indeed spy on your connection string can
connect and abuse your bandwidth and connections. In this tutorial
I show you one way of making live a little bit harder for these hijackers.
Please note that ideally you would be using the <Allow>mydomain.com</Allow> tag
in vhost.xml but this can sometimes be a bit awkward especially on a development
server.
Whenever a client (Flash movie) connects to your application it will invoke
the application.onConnect method on the server.
We will use this method to authenticate the movie, basically making sure
that it is allowed to connect.
Let's have a look at the following serverside script which is located inside
main.asc. This script can authenticate multiple domains.
The first line loads your components, you can omit this line if you are not
using any pre-built communication components in your movie.
This is followed by the onConnect method which
receives one parameter: client_obj
The client_obj parameter must always be passed
in order to assign the client to the application. You can extend this function
to receive as many parameters as you like but for our needs the client_obj is
sufficient.
We then declare our allowed domain, once with www prefixed and once without.
It is set up to accept connections fromvarious variations of flashcomguru.com
but you must change this domain to the one of your own website - doh! Also
make sure you write it in lowercase.
We then read the referrer and converts it to lower case (just to be safe).
var theReferrer = client_obj.referrer.toLowerCase();
What follows is the actual comparison between our allowedDomain and the domain
of the swf that is trying to connect. We do this by looping over the domainList
array and check if our allowed domain is a substring of the referrer. We
also make sure that the match is in position 1 and not further along.
if (challenge == 0) {...
Thanks to Brian Lesser for spotting this one.
The rest is fairly self explanatory. If we find a match we set a variable
acceptit to 1. In the if statement that follows we decide - based on the
value of acceptit - if we accept or reject the connection.
Please note that this method does not require any scripting on the client
side (inside your swf file) but it is not as secure as using the <Allow> tag
in vhost.xml.
If you are looking for a few more advanced ways of authenticaing a user I
can highly recommend Kevin
Towes' book 'Flash Communication Server MX'.
He provides code listings on his side including this
one which authenticates a user through FlashCom via Remoting to an Access
database.
Another great read is Bill
Sanders' book out of the Reality Series - one of my favourites on Flashcom.
A slightly easier way is to use a serverside array of valid passwords as
described in chapter 11 of his book. You can find the code
for it here. However this might be easily hacked with an Actionscript
decompiler.
Another
good article can be found at Macromedia, courtesy of Kristopher Schulz.
Please note that I haven't tested this code extensively so please double
check that it works for you. For more information please also refer to FCS security reviewed.
Have fun.
|
