0

I have a flex application, running with amfphp and connected to wamp, I want to use a secure connection using ssl, but my whole application is running from the same swf file, would using ssl in that case mean that all the data, being sent and received between the server and client , encrypted? Because this is not what I'm trying to do, I only want to encrypt the sign up and sign in data.

please note that, I have log-in bar which is visible the whole time as long as the user is not signed in. in other words, I only want to secure some of the data being transferred not every thing. Is that possible? a tutorial or reading material would be highly appreciated

note: I'm using flex 3 and php/mysql in the back end, and amfphp to connect them.

Thanks

Darth Plagueis
  • 910
  • 3
  • 21
  • 39
  • 1
    That makes no sense. Why would you only want to encrypt the sign up and sign in? After you sign in, you'd want to be on a secure line (or so I would imagine). I think you might be confusing how https works. – J_A_X Jul 07 '11 at 15:12
  • I just want to encrypt the sign up and sign in info. after the user is signed in, all he does (in my application) is search for stuff, so its going not be needed to encrypt data after he signs in. – Darth Plagueis Jul 11 '11 at 15:23
  • I'm questioning the utility of it. Why do you need to have the login/password be secure if the information you're providing after the login is not important? It's incredibly redundant. – J_A_X Jul 11 '11 at 15:27
  • Its not that the information is unimportant ... the user can do other things, what I meant with my question is I only want some of the data to be sent using a secure connection, not all the data. – Darth Plagueis Jul 11 '11 at 15:33

1 Answers1

1

Since you're using AMFPHP, I can assume that you are using the AMF protocol to send data back and forth and also using the RemoteObject tag inside Flex to make remote calls.

Assuming that AMFPHP uses a standard approach that most other platforms use, I would just open up your services-config file and add a destination for secure / HTTPS communication and one for non-secure /HTTP communication.

Then just edit your code to make sure your login procedures use the secure destination; while other data calls do not.

JeffryHouser
  • 39,401
  • 4
  • 38
  • 59
  • 2
    Here's an answer I posted today on doing the two dest / enpoints that might be helpul : http://stackoverflow.com/questions/6615368/how-to-make-a-channel-secure-im-using-a-amf-channel-how-to-add-security-to-m/6617960#6617960 – Nate Jul 08 '11 at 04:44
  • I tried what you said, but I'm getting the following response from the server `code` Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL `code` any ideas? – Darth Plagueis Jul 13 '11 at 22:15
  • @Agent1891 Did you use a network sniffer tool to see if SLL is actually being use in your remote calls? – JeffryHouser Jul 13 '11 at 22:33
  • I used firebug on firefox, I'm not sure how to make sure that SSL _is_ being used, i got `code` Host localhost:443 `code` in my request's header, I'm sort of a noob in web development, is there another way to make sure? – Darth Plagueis Jul 13 '11 at 22:52
  • Generally you look at the URL Flash Player is calling to figure out if it's a SSL one or not. I'm not sure if Firebug exposes that info; but if it does, you're golden. Make sure the URL being called is using the HTTPS protocol, and not HTTP. – JeffryHouser Jul 14 '11 at 01:28
  • @www.Flextras.com I tried charles ... in the request to gateway.php, it says the url is http://localhost:443/amfphp/gateway.php, (says http, not https), but still, the response the same about the plain text on https – Darth Plagueis Jul 14 '11 at 22:33
  • If it says HTTP; that is probably your problem. You need to make sure that URL is HTTPS. IS the SWF being served off an HTTPS URL? Are you sure the destination is set up correctly in your services-config file? – JeffryHouser Jul 14 '11 at 22:55
  • @www.Flextras.com I tried serving the swf from both http and https, same result ... and in my services config, the channel definition for the secure channel is the same as that for the insecure, but i added https and :443 and used SecureAMFEndpoint and SecureAMFChannel – Darth Plagueis Jul 15 '11 at 00:53