[SabreAMF] Fwd: Authentication problems/observations/question

[Wilhansen Li]

I have been experimenting with the authentication functions of
Flex/SabreAMF using the onAuthenticate callback, here are my
observations on accessing a Flex-compiled swf file directly within a
browser (havnen't tested it with AIR, cookies, and with Javascript
intervention):

onAuthenticate calling:
- Will only be called once even if you called setCredentials
repeatedly with the same credentials (not so sure if you used another
set of credentials for each repetition)
- Will be called again if you did a RemoteObject.logout and called
setCredentials again.

Throwing an execption from onAuthenticate:
- The client will report a "ping failure" no matter what exception you
throw if you called setCredentials before anything else.
- The client won't report anything if you threw an exception from
onAuthenticate and ONLY called setCredentials
- Will report the exception thrown by onAuthenticate if setCredentials
is immediately followed by a RPC.

PHP sessions:
- Gets preserved through the client's lifetime
- Won't get reset if RemoteObject.logout is called (i.e. the reset
will have to be manually set from the server side.

Having these said how would one go about implementing sessions using
the AMF format? Or to be a bit more fundamental, what's the purpose of
the onAuthenticate callback? (yes I know it's for authenticating.. but
what kind of authentication? and what was it meant for?)  As I see it,
one would probably be better off using his own login/logout
protocols/messages/RPCs
instead of the built-in onAuthenticate callback.

As an additional note, I also checked the examples in the PyAMF
implementation and the use is also pretty vague (I haven't actually
tried it yet as the setup of python is a bit of a hassle compare of
php where you can just do ad hoc testing without touching and htaccess
file)
--
(<_<)(>_>)(>_<)(<.<)(>.>)(>.<)
Life is too short for dial-up.