Flex / AIR, PHP and user authentication

So you’ve built a Flex or AIR application that talks to a PHP server and you’re wondering how to authorize users? Actually, it is very easy to do this. You can do the same things you would do with a PHP web application: authenticate the user credentials, start a session and write some session values. Then, for any subsequent calls, first you check if the session values are set to determine if the user is logged in. This approach works in the same way for a Flex application deployed on the browser or deployed on the desktop (an AIR application), because once the server starts a session and sends the response back to the client, Flash player adds the session ID to any other call made to the same server (of course the calls must use HTTP or HTTPS).

So let’s recap what happens:

  1. The Flex client (could be a web app or an AIR app) makes a request to a PHP file to authenticate the user: http://localhost/login.php
  2. The “login.php” validates the user and if successful it starts a session and saves to the session some variables regarding the authenticated user
  3. The server sends a response back to the Flex client
  4. The Flex client makes new HTTP/HTTPS requests to the same server. The session id is appended to the request
  5. The PHP server scripts called from the client use the same session and they can retrieve from the session any info that was saved by “login.php

Another way to handle the authentication is by using a token. The workflow is:

  1. The Flex client sends user credentials to the server
  2. If the user credentials are correct, the server sends back a token that is unique for the given user
  3. From that point on, whenever the Flex client makes a request to the server, it sends the token too.

Why should you use a token instead of relying on the session mechanism? I don’t think one method is always better than the other, it really depends on your architecture and your specific needs. For example if you use the token approach, you have two advantages: you don’t care about session expiration time and you don’t care about the server domain (for example you could have more domains sharing the same user database and using the token approach you don’t need to authenticate on each domain in order to start a session). On the other hand, using the session approach could be better if you can leverage existenting applications on the server side, or you don’t want the token appended to each request you make from Flex application.

I put together a simple Flex application to illustrate how you can authenticate from Flex on a PHP server. You can download the app from here and you can import the archive in Flex Builder using Import > Flex Builder > Flex project. Inside of the project is a folder “user_auth“. You should move this folder to your PHP web server and then you need to change, in the MXML file, the value of SERVER_URL constant. It should be the correct URL for your setup (it is defined right at top of the MXML file). On my computer, the constant has this value http://localhost/user_auth/. As a side note, this code works as well as an AIR application, just create an AIR project and copy the script code and the services/UI components into the MXML file and you are done.

The calls to the PHP server are made using either HTTPService or RemoteObject (I am using AMFPHP on the server side). If you run the application, you will see three areas with buttons: one for authentication using session and HTTPService, one for token authentication using HTTPService, and the last one for using RemoteObject and session. One way to test it is: open the the application in Firefox and click on the first button, a session will be started on the server and some values will be set in the session. If you open the same application in Safari (or any browser other than the one you just used) and click on the second button (Make Request to another page which…) you will get an error as the PHP script checks that some specific values are set in the session.

If you want to try the “Authenticate against LDAP” workflow, first you need to be able to access a LDAP server from the PHP server and you need to open the “ldap_auth.php” PHP file and set the correct values for RDN, DN, and hostname.

July 22, 2008 | Filed Under AIR, Flex, PHP 

Comments

5 Responses to “Flex / AIR, PHP and user authentication”

  1. Flex / AIR, PHP and user authentication « Rich Internet Applications on July 23rd, 2008 1:42 pm

    [...] Source [...]

  2. TVPDan on August 15th, 2008 4:14 am

    What would be the best method for showing certain Flex app elements based on user permissions in a DB (MySQL)? Say, admins can see a delete button and regular users cant, but can see everything else.

    Thanks,
    Dan

  3. Mihai Corlan on August 15th, 2008 11:24 am

    One way is to set the visible property to “false” on the UI Components you want to hide.

    Another way is to use mx:states to define one state for each rol.

  4. TVPDan on August 15th, 2008 6:06 pm

    By that method though, if someone took the SWF file and decompiled it, wouldn’t they see items that they could use maliciously?

  5. Mihai Corlan on August 15th, 2008 10:26 pm

    Yes, they can decompile and see the buttons they shouldn’t, but they cannot use it. As I explained in my post, when the client make a request to the server, the server knows (based on session or token) what user / credentials made the request. If the method is outside of the user rol, it is discarded.

Leave a Reply