Like I said, I’ve never worked with it before, but I know the terms, you are absolutely correct about session vars vs cookies. You can, in my understanding, do sessions with both. I have a link at home that uses PHP and cookies for a login script in HTML. That’s where I got the idea - I think. I know that with PHP you can set a cookie, check to see if it’s there, and have it destroy itself later. If the cookie’s gone, you’re logged out - I think…I’m gonna have to post that link for you because I haven’t gone that far with login systems - this simple one fit my purpose well.
And I’m also glad your tutorial was a great help:)
I’m iving under the impression that session variables are more hardcore than cookies and that’s why I’ve formed a better opinion of them.
Besides, the whole session variable using thing doesn’t seem too complicated, at least when working with other than Flash -projects, since you can just simply check the session in the beginning of each pages code and destroy when it’s necessary. And it should be rather safe, securitywise.
I’ve been pondering on that today, but I haven’t quite figured out how to use sessions with Flash, I don’t think that it should be too hard and I’ll make experiments as soon as I have a little spare time.
It’s always a pleasure talking to kollagues and friends who are as excited about this world as you are yourself, so thank for this too.
Sunny times:cowboy:
— EDIT MONSTER —
I JUST POSTED THIS AND YOU POSTED THAT ONE BELOW AT THE SAME TIME:)
hm… i don’t see why and how would php’s sessions be used within Flash, am i missing something??
From what I understand, sessions are like a way to ‘memorize’ variables and share the variables between a bunch of pages.
In flash, though, you’re always within a single movie, and therefore you can access variables from anywhere/any frame in the movie, so i don’t really see why would you use a session… once again, am i missing the point here?
No I believe that I might be missing the point. You see, I’m not that familiar with programming. As I explained earlier I haven’t wuite grasped the essence of server-side Flash yet and earlier I was thinking about the very thing you said about sessions right now.
But if variables are stored, they can be stolen and someone complained to me about Flashes security risks and I thought that well, if you store the variable with sessions and fetch them to Flash, then it might be more secure?
That’s just my own thinking and trying to get a grasp on things. But it’s a good point and I think that some hardass codemonkey is laughing his head off somewhere, but who goves a fuffaraa:)
sometimes, if you’re sending the session is through the url (as in http://thing.com/index.php?mysessionid=007 ), the session ID can be stolen, and you want to avoid that… but then again, if you’re using Flash, you really will not need to use sessions… i suggest you do some more reading on sessions over at php.net
It’s kind of like the checklog variable in that tutorial. It will stay ‘1’ after someone logs in until you tell it not to (with the back button). Therefore, you can have buttons to navagate throughout a Flash movie without the user having to log in again.
Dunno for sure if somthing like that could be done and at least for my brain it is impossible to grasp how I could steal someones stuff like that, but I thought that I’d get a conversation going here.
For me Flash is secure enuogh and with AS obscuring with an external app gives even more security since the possible hacker can’t translate my AS hence never finding out which php codes are doing the work for me.
It’s an interesting subject though.
— EDIT MONSTER —
And FreddyThunder, correct me if I’m wrong…
I can use the checklog variable in my external swfs that contain possibilities to edit the content on my Flash page, right.
If I for instance place an “Add news item” -button in an external swf, which is loaded into the same mainframe that my external login.swf was loaded in, I can make for example an if - else stament in the button, right?
Like this:
button.onRelease = function() {
if (checklog=1) {
Add news item codes
} else {
Tell the son of a gun to get outta my nose
};
Yeah, you could do that. - but if it’s an external swf loaded in, you may need to put _root.checklog to check for the variable on the main timeline.
As for the hacking thing: As far as I know (not too much of a hacker), you can get swf decompilers that will rip open a swf file and expose the actionScript inside. Filenames are real easy to find if you don’t have an index.html file on the root of a folder or your server directories are turned on. For instance, if you had a bunch of pics in this folder: www.villek.com/project/pics/
you could put that in a browser and get a directory of all the files in that folder. You can shut that off with your .htacess file.
Like I said to someone before when they said that my tutorial wasn’t a sucure login system, I quoted the first paragraph where it said it wasn’t secure and noted this:
Just because you have a car alarm doesn’t mean your car can’t be stolen…
When it comes to security; if you need something secure, spend the time and money to make it SSL. Otherwise, know that it will be vulnerable. My client that uses this login system, I know, won’t have any visitors willing to take the time to break in to see their price lists.
I promise, I’m still working on that link for you. I’ve been working like mad over the past two days…matter of fact, I’m still at work!! This sucks!! It’ll be soon, I promise!!
Yeah, I know all that about .htaccess and swf decompilers.
Did you know that you can mess up a decompiler by using a freeware which messes up the AS and breaks down the decompiler? That’s what I was talking about earlier.
I’ll look the link up for you, I think I saw it somewhere in Kirupa. Not sure, but I think so.
It’s an AS obfuscator program. Freeware and it promises to make life a bit more hard for the hacker.
One method to make your online content to only work on your own server would be to make an if - else statement which uses url checking and only allows stuff to happen if the base url (www.myserver.com) is true.
ASO does almost nothing, I’ve written a review on ASV (an swf decompiler) and part of it was a test against ASO (see Case Study 1)… The obfuscated code was very readable/usable
As far as hacking the swfs and all that, you might find this article interesting:
The way I see it, if someone wants your code badly enough to download your SWF and buy a SWF decompiler, then they are a sad, lonely, empty shell of a human being and you should let them have that code just to brighten their day. You know its yours and you shouldn’t be putting sensitive data in a SWF anyway.
its not worth the hassle because no matter what you do they can get your stuff.
if all the authentication is done on the server-side, even if all the actionscript is revealed to the hacker, it still wouldn’t really help him hack the movie… also, use encrypted password, it’s much more secure
