 | | | Flash authentication without database | Flash authentication without database
2004-02-22 - By Jim Cheng
Back
Dominico Savio wrote:
> never mind my last post :) I just use the easy way, read the XML-formatted
> text file (located outside the root) from PHP then pass it to Flash, and
> Flash make it an XML object :) This way, I don 't have to modify my existing
> code :)
If your XML file contains sensitive data such as a password
list, you should *never* have it accessible to the client.
What you propose would only be safe if the XML file contained
information that you wouldn 't mind being public. I wouldn 't
go with your proposed way unless you don 't mind the XML file
being public.
Passwords should always be stored and verified on a server.
If security is important, also consider hashing it with a
one-time salt and/or transmitting via HTTPS.
With PHP, the documentation is actually quite decent--there 's
a slight learning curve with the syntax, though the best way
is probably to get your hands on some code and start modifying
it to add functionality and then debugging your changes.
I 'll even give you some code to start playing with.
Essentially, it 's:
1. Open password list from a text file outside of web root
2. Read the username/password pairs from the file
3. Find the supplied username in the file (if possible)
4. Compare supplied password against what 's in the file
5. Act accordingly based on the comparison(s)
You can use hashed passwords for added security on a shared
server if you 'd want. It 's just a few extra calls to crypt(),
md5() or sha1().
Here 's a quick and dirty run-down for a plain-text password
file with one tab-delimited username and password pair per
line and a few XML files to hand back to Flash for different
situations (change the filepaths as appropriate):
In PHP:
<code >
<?php
// Read in the data that Flash sent over.
$username = $_GET[ "username "];
$password = $_GET[ "password "];
// Tell Flash that we 're going to send back XML.
header( "Content-Type: text/xml ");
// Read in the passwords from a text file.
$lines = file( "/home/myaccount/passwords.txt ");
// Iterate through the password file line by line
for ($lines as $line) {
// Split each line into tab-delimited username/password
$pair = explode( "\t ", $line, 2);
if ($pair[0] == $username) {
// Found the user
if ($pair[1] == $password) {
// Password matches, so hand over the secrets.
readfile( "/home/myaccount/secret-data.xml ");
exit();
}
else {
// Password doesn 't match, report an error.
readfile( "/home/myaccount/bad-password.xml ");
exit();
}
}
}
// If it gets down here, the user isn 't on the list
readfile( "/home/myaccount/bad-user.xml ");
exit();
? >
</code >
Regards,
Jim
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Supported by Fig Leaf Software
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Be sure to check the archives and the wiki:
http://chattyfig.figleaf.com/
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104917
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
To unsubscribe send a blank e-mail to:
Normal Mode: flashcoders-unsubscribe@(protected)
Digest Mode: flashcoders-digest-unsubscrive@(protected)
|
|
|