如何与Flash客户端进行会话？ [英] How do I do sessions with a Flash client?

问题描述

由于Flash Player（或更确切地说， URLLoader class ）不会让您读取服务器设置的HTTP响应头或Cookie，如果您通过某种解决方法（例如接触浏览器并执行JS ，您无法将其发送到服务器，因为，等， Cookie 标题将被阻止。

Since the Flash Player (or, more exactly, the URLLoader class) will not let you read HTTP response headers or cookies set by the server, and if you get hold of a session cookie through some workaround like reaching out to the browser and run JS, you can't send it to the server, because, among others, the Cookie header will be blocked.

现在我正在为我的服务器产品的HTTP API构建一个Flex客户端。我控制双方，所以我可以得到绕过上述限制，现在我想知道如何。我看到以下选项：

Now I'm building a Flex client against an HTTP API for my server product. I control both sides, so I can get get around the above limitations, now I'm wondering how. I see the following options:

1. 在HTTP有效内容中包含会话令牌


2. 在URL中


3. 在AS中构建自己的HTTP客户端（...使用黑杰克和妓女...），使用 Socket class

1. include the session token in the HTTP payload
2. include the token in the URL
3. build my own HTTP client (... with blackjack, and hookers ...) in AS, using the Socket class

我不喜欢（1），因为我在协议中重新实现了功能它已经内置到Struts中，我用它来实现服务器端。然后我必须确保两者的行为相同，或关闭通常的会话管理方式，并强迫其他客户端使用我们的协议，他们只需要浏览器处理它。

I don't like (1), because I'm reimplementing functionality in my protocol that is already built into Struts, which I'm using to implement the server side. I then have to ensure that either both behave the same way, or turn off the usual way of session management and force other clients to use my protocol where they could just have the browser deal with it.

我不喜欢（2），因为我知道这有安全问题，虽然

I don't like (2), because I understand that there are security concerns with this, although I'm not too sure which

我不知道， t（3），因为它是2010年，大量的HTTP客户端是由比我更聪明的人写的。

I don't like (3), because it's 2010 and tons of HTTP clients have been written by smarter people than me.

那么，还有其他机会吗？我的不喜欢哪一个你认为最不严重？有没有办法缓解我列出的问题？例如，URL中的会话令牌如何不安全？

So, are there other opportunities? Which of my "don't like"s do you reckon least severe? Are there ways to mitigate the problems I listed? For example, how insecure are session tokens in URLs really?

推荐答案

如何使用FlashVars参数？它设计明确地将简单的数据传递到Flash应用程序，当服务器端生成页面时，将会话令牌嵌入到标记中很简单。 PHP-wise，它会像

How about using the FlashVars parameter? It's designed explicitly to pass simple data into a Flash app, and it's trivial to embed the session token into the tag when the page is generated server-side. PHP-wise, it'd be something like

<embed href="movie.swf" flashvars="sessionID=<?= session_id(); ?>">blah blah blah</embed>

这样，电影网址中没有可能通过引荐来源泄露的会话数据，有所以应用程序不必伸出手来和浏览器说话。如果有人嗅探源HTML页面获取数据，他们可能已经从HTTP头获得相同的信息。

This way there's no session data in the movie's url that could leak via referers, and the data's already "there" so the app doesn't have to reach out and talk to the browser. And if someone's sniffing the source HTML page to get the data, they could have gotten the same information from the HTTP headers anyways.

有更多详细信息此处在Adobe文档中。

There's more details here in the Adobe docs.

这篇关于如何与Flash客户端进行会话？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！