Security apply to everything in life. IT security is an item to consider when developing web applications that pass data over the network. Passwords are always at the heart of this issue. Quite often, we can see many problems in one application that do not have user password's protected. Data is not properly encrypted at both ends: origin and destination of the data.
To protect passwords that access an application, it is very important to assure the use of encryption forms over the login credentials, ie, passwords must use a hash algorithm to encrypt their content. One of the most used algorithms is the MD5.
MD5 is a one-way hash algorithm, ie, once you encrypt data you can’t decrypt it back. By using it, the product of this algorithm, in theory, cannot be reversed to the content originated. Of course, it’s also important to provide mechanisms in the application that allow users to understand the strength of their passwords. Passwords like 12345, even being obvious for us to never use, are used worldwide. This can be controlled with a function to validate the password entered, based on the business rules established for the project development.
Flex 3 does not natively have the library
(as3corelib.swc) that has this function. Therefore we must download it.
After downloading the library and unzipping it, simply navigate to the as3corelib-.92.1 folder and (in the lib/) copy the file: as3corelib.swc and paste into your project in the lib folder.
After pasting in the lib folder of your project, click the right button in the project folder and select Properties. The Properties window will appear and click on the left corner on Flex Build Path. Then in the Library Path tab, click on libs and click the Add button swc. The Add SWC window appears.
Simply select where as3corelib.swc file is located and click the OK button > and OK in the Properties window. With these procedures, the Flex will perform a build in your project and now it can use MD5.
For this article, we create a main screen with the text input type field to receive a password entered by the user. This password will receive a type md5 hash that turned into an alphanumeric string of 32 characters (always 32 alphanumeric characters). Then click the login button. Concurrently, HTTP Service component is fired and makes a query to the database that brings the password field and compares it to the converted hash of the application side to authorize the user. See Figure 1.
Figure 1. Add SWC window
In this example, we will create a database
with a users table and only two fields: iduser (integer) and auto-increment and
password (varchar 45) as primary key. An insert was carried out on the table,
converting the password '142536' in MD5 hash 'a45958517604f5cd90d6ee51ad9cfdb6'
using the md5 function in PHP.
Now let's build a PHP file that receives data via post and compares the password with the password md5 recorded in the database and returns whether the credential is ok or not.
The cripto.php file receives via post the password entered by the user and performs a query in the database. If so, an XML is returned and then sent to flex application.
The application has a class Users with iduser and
password as property and doLoadFromXML method that receives the file that PHP
generates on success when comparing the passwords to feed application.
Still on the Flex side, there is the need to create a component that will communicate with the server, specifically with the cripto.php file. This component is the HTTP service type, wsUser that will send via post the password and receive the return of XML in case of a successful response. SeeFigure 2.
Figure 2. WsUser component being dragged to the application.
After the component has been constructed, its
use is done by dragging the Components/Custom tab of the component to the
application, in Design mode. The component is called webUser. Its purpose is to
communicate with PHP scripts of the application.
In the application, the Click method will be triggered by the event click of btnCLickbuttonwhose, which Label property is set with“Send”text. The method signature has a password variable of String type that receives the user-entered password and converts it into md5:
(var password:String = MD5.hash(edtPassword.text);)
import com.adobe.crypto.MD5; .
In the next step, the
webUser component makes a call to your doLogin method that takes as a parameter
the variable with the same password already encrypted by the crypto class.
Within the webUser component OnResultUserRead function is responsible for receiving the XML, which is mounted by the PHP script to be used within the application and can be used in any Flex component that receives data from a data provider.
Regarding communication with the server, and the issue with password security, another important factor to note is that even thinking that the data (not just the password) and a description of these data (metadata) remain readable to humans, such as XML, it may be practical. However, it is also a drawback, since the human readable text is not as efficient from the standpoint of performance, speed, as a binary communications between the client and the server.
In Flash MX, Flash Remoting was introduced as a way to provide binary communication (which is extremely efficient communication between client - server), to be based on open protocol, named AMF (Action Message Format), enabling communication with several server technologies like Java, PHP and ColdFusion.
In this example, the XML is loaded at runtime using the HTTPService class, when the webUser component provides access to URL and returns data formatted as XML.
Access the URL (PHP files) is being guaranteed by GetBasePath function, set the Util class, which allows access to htdocs folder on the Apache server whose IP address is 127.0.0.1 and followed by a slash '/' so that from there, the HTTPService component can find the PHP script that provides the application. In this class, we created some basic functions for the application, such as display messages, pop-up windows, closing modal windows, etc.
Also in webUser component, in its OnExecute property, occurs the validation of data sent and returned by ValidatePassword() function. The OnExecute property is used to identify the event that signals that the component has performed some function and in this case, is executing the ValidatePassword() function in this event. ie, mechanical works as follows: the application encrypts the password with the MD5 crypto class and the webUser component accesses the doLogin method, providing the necessary parameter to the URL and the PHP file welcomes that data sent via post. The database is accessed and the data sent by the application is compared with the data saved in the database and the return is performed in XML to the application.
The variable in the function body loUser of UserData type receives the first element of the return of the HTTP Service WebUsuario component. At the moment a comparison is realized between the return and what the user typed and emits the message "Enter the password correctly" or "The password is correct." The message is displayed by ShowMessage function, belonging to Util class.
Using the Firefox browser, together with Firebug add-on, you can see what is being sent by the Flex and the return of XML, as in Figure 3.
Figure 3. Password parameter with hash sent via post.
Comments and suggestions or questions please do not hesitate to write.