Well as you know SWX, the “native data format for flash” is out there, and if you read some previous posts of mine, I told you I was going to try to make it work completely with the usage of the beforeFilter protection function that is available inside AMFPHP, this has allowed me to understand a little more the AMF concept.

However, due to amfphp works with _SESSIONS it seems the session is sent attached to the AMF message so that AMFPHP is able to know if the user has already been identified or has some methods blocked, this means we cannot send the header in the swf file that is generated at runtime. Because the swf is received and never returns as “feedback” thus there is no easy way to know if the open session is valid or because of the file is generated at runtime it can create several SESSIONS which leads to a session each time user access data.

And yeap it is said even by the creator of swx, that this method (using swx) takes longer to access, not in the client’s app but when the server creates the swf (also called swx).

In the meantime the only thing I managed to do was: access and recognize beforeFilter from SWX.php BUT beforeFilter is unable to execute Authenticate:isAuthenticated() correctly…. which is sad

I discover that using swx your application can be potentionally weak to scan of services due to the lack of a security implementation in SWX.

Cheers!

Bookmark It