Flex3 AMFPHP MySQL - How to securely authenticate from swf to server?

Imagine two scenarios:
1) A new user is registering using the flex form and sends his brand new password from the swf to the server.

2) An existing user is logging in using the flex form thus sending his username/password combo to the server for authentication.

How may I ensure that the password cannot be gleaned/easedropped on its way to the server from the swf?  Encryption? If so, how?

AND ALSO: What form should I store the password into the database using php/mysql to ensure best practices of security?
tate1615Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
asaivanConnect With a Mentor Commented:
I would recommend using the MD5 class.
http://gsolofp.blogspot.com/2006/01/actionscript-3-md5-and-sha1.html

I encrypt in MD5 before sending to the server.  On the MySQL side you don't really have to worry about it.  It will go in as MD5, you just need to chack against the MD5 hash.

You could also use SHA1.
0
 
r_bielakConnect With a Mentor Commented:
hi there...
the best known practice is to use ssl - i mean https instead of http
and then you will not need to worry
0
 
Jones911Connect With a Mentor Commented:
I agree with r_bielak.  You can use AMF over SSL with Flex remoting.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
Jones911Commented:
Sending MD5 hashes without SSL is still a risk.
0
 
asaivanCommented:
True.  It depends on HOW secure you want it to be.  Encrypting the password only saves having to set up SSL on the server, or deal with certificates and costly certificate authorities.  But if you've got all that in place, then I suppose it's not that big of a deal.
0
 
Jones911Commented:
Good point.  SSL can be a factor if you have multiple domains and only 1 IP.
0
 
tate1615Author Commented:
Yup I know that SSL is a good start.

asaivan: That library does not look stable.  There are warnings in FB in the code.
0
 
asaivanCommented:
That's not due to lack of stability.  Those warnings are the authors use of doubling up on some variable assignments.  You can easily remove them but refactoring a tiny bit.
0
All Courses

From novice to tech pro — start learning today.