[SabreAMF] Fwd: Authentication problems/observations/question

Evert | Rooftop evert at rooftopsolutions.nl
Thu Jan 3 09:56:42 PST 2008 

My personal approach has always been to always use custom methods, 
because it becomes much easier to supply additional feedback about why 
authentication didn't work..

Are cookies preserved across all browsers? I don't know exactly which OS 
+ browser combination, but I'm fairly sure there used to always be one 
of them that never preserved cookies.. I think it's either IE or Windows 
+ FF. This might have changed since FP9, but if it hasn't, 
Authentication in AS3 is pretty much useless. AMF0 would always submit 
the user + password with every single request..

The logout thing is actually a feature gap, I think it makes sense to 
implement an onLogout.. If there's any way you could send me a 'saved 
charles session', that would be very helpful, and I can probably 
implement it pretty quickly..

Evert

Wilhansen Li wrote:
> I have been experimenting with the authentication functions of
> Flex/SabreAMF using the onAuthenticate callback, here are my
> observations on accessing a Flex-compiled swf file directly within a
> browser (havnen't tested it with AIR, cookies, and with Javascript
> intervention):
>
> onAuthenticate calling:
> - Will only be called once even if you called setCredentials
> repeatedly with the same credentials (not so sure if you used another
> set of credentials for each repetition)
> - Will be called again if you did a RemoteObject.logout and called
> setCredentials again.
>
> Throwing an execption from onAuthenticate:
> - The client will report a "ping failure" no matter what exception you
> throw if you called setCredentials before anything else.
> - The client won't report anything if you threw an exception from
> onAuthenticate and ONLY called setCredentials
> - Will report the exception thrown by onAuthenticate if setCredentials
> is immediately followed by a RPC.
>
> PHP sessions:
> - Gets preserved through the client's lifetime
> - Won't get reset if RemoteObject.logout is called (i.e. the reset
> will have to be manually set from the server side.
>
> Having these said how would one go about implementing sessions using
> the AMF format? Or to be a bit more fundamental, what's the purpose of
> the onAuthenticate callback? (yes I know it's for authenticating.. but
> what kind of authentication? and what was it meant for?)  As I see it,
> one would probably be better off using his own login/logout
> protocols/messages/RPCs
> instead of the built-in onAuthenticate callback.
>
> As an additional note, I also checked the examples in the PyAMF
> implementation and the use is also pretty vague (I haven't actually
> tried it yet as the setup of python is a bit of a hassle compare of
> php where you can just do ad hoc testing without touching and htaccess
> file)
> --
> (<_<)(>_>)(>_<)(<.<)(>.>)(>.<)
> Life is too short for dial-up.
>
> _______________________________________________
> sabreamf mailing list
> sabreamf at osflash.org
> http://osflash.org/mailman/listinfo/sabreamf_osflash.org
>
>

More information about the sabreamf mailing list