Announcement Announcement Module
No announcement yet.
Setting session data on authentication Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Setting session data on authentication

    I would like the following events to happen:

    (1) Flex application at some point asks the user to login.
    (2) Application server authenticates the user and sets hidden data in the session (e.g. userID)
    (3) Flex application issues a request for data.
    (4) Application server extracts the hidden data and then uses it to complete the request (e.g. "SELECT r FROM Records r WHERE id=userID").

    The first step is handled by using custom authentication on the Flex side. The rest is a bit murky. This must be a common problem and I don't doubt that there is a RTFM answer somewhere.

    Any tips or hints?

  • #2
    I believe you just use the FlexContext class to access the HttpSession of an incoming request - see


    • #3
      Why would you not use a shared object on the flex side to keep track of the logged in user?



      • #4
        Why would you not use a shared object on the flex side to keep track of the logged in user?
        I assume that you are suggesting creating a User object which contains the user data and then using this in Flex. This has a real benefit of allowing most back-end operations to be stateless, but it should be avoided when application security is a priority. Here's why:

        Good security practices prohibit passing the user identifier outside of BlazeDS to the Flex side. As the endpoint (i.e. desktop or mobile phone) is not secure and as the application can be modified or replaced, the programmer must assume that all data passed to Flex is accessible to a malicious entity. If the back-end passes 'userID = 2' to Flex then a compromised application might update the identity claim 'userID = 5' before making a request to access data for a different user.

        Instead unique session identifier is typically generated by the application server and key data is attached to and obtained from the session by the application. The FlexContext is one such mechanism.