如何与 Flash 客户端进行会话? [英] How do I do sessions with a Flash client?

问题描述

自从 Flash Player(或更确切地说，URLLoader 类) 不会让您读取服务器设置的 HTTP 响应标头或 cookie，如果您通过诸如 伸手到浏览器运行JS，你不能把它发送到服务器，因为，等等，Cookie 标头将被阻止.

Since the Flash Player (or, more exactly, the URLLoader class) will not let you read HTTP response headers or cookies set by the server, and if you get hold of a session cookie through some workaround like reaching out to the browser and run JS, you can't send it to the server, because, among others, the Cookie header will be blocked.

现在我正在为我的服务器产品构建一个针对 HTTP API 的 Flex 客户端.我控制了双方，所以我可以绕过上述限制，现在我想知道如何.我看到以下选项:

Now I'm building a Flex client against an HTTP API for my server product. I control both sides, so I can get get around the above limitations, now I'm wondering how. I see the following options:

1. 在 HTTP 负载中包含会话令牌
2. 在 URL 中包含令牌
3. 使用Socket 类在AS 中构建我自己的 HTTP 客户端(... 使用二十一点和妓女...)

1. include the session token in the HTTP payload
2. include the token in the URL
3. build my own HTTP client (... with blackjack, and hookers ...) in AS, using the Socket class

我不喜欢 (1)，因为我正在我的协议中重新实现已经内置到 Struts 中的功能，我用它来实现服务器端.然后我必须确保两者的行为方式相同，或者关闭通常的会话管理方式并强制其他客户端使用我的协议，而他们可以让浏览器处理它.

I don't like (1), because I'm reimplementing functionality in my protocol that is already built into Struts, which I'm using to implement the server side. I then have to ensure that either both behave the same way, or turn off the usual way of session management and force other clients to use my protocol where they could just have the browser deal with it.

我不喜欢 (2)，因为我知道这存在安全问题，尽管 我不太确定

I don't like (2), because I understand that there are security concerns with this, although I'm not too sure which

我不喜欢 (3)，因为那是 2010 年，很多 HTTP 客户端都是由比我更聪明的人编写的.

I don't like (3), because it's 2010 and tons of HTTP clients have been written by smarter people than me.

那么，还有其他机会吗?你认为我的哪些不喜欢"最不严重?有没有办法减轻我列出的问题?例如，URL 中的会话令牌到底有多不安全?

So, are there other opportunities? Which of my "don't like"s do you reckon least severe? Are there ways to mitigate the problems I listed? For example, how insecure are session tokens in URLs really?

推荐答案

如何使用 FlashVars 参数?它被明确设计为将简单数据传递到 Flash 应用程序中，并且在服务器端生成页面时将会话令牌嵌入到标记中是微不足道的.PHP-wise，它会像

How about using the FlashVars parameter? It's designed explicitly to pass simple data into a Flash app, and it's trivial to embed the session token into the tag when the page is generated server-side. PHP-wise, it'd be something like

<embed href="movie.swf" flashvars="sessionID=<?= session_id(); ?>">blah blah blah</embed>

这样一来，电影 url 中的会话数据就不会通过引用泄露，而且数据已经在那里"，因此应用程序不必与浏览器联系和交谈.如果有人通过嗅探源 HTML 页面来获取数据，他们无论如何都可以从 HTTP 标头中获取相同的信息.

This way there's no session data in the movie's url that could leak via referers, and the data's already "there" so the app doesn't have to reach out and talk to the browser. And if someone's sniffing the source HTML page to get the data, they could have gotten the same information from the HTTP headers anyways.

还有更多详情此处 在 Adob​​e 文档中.

There's more details here in the Adobe docs.

这篇关于如何与 Flash 客户端进行会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！