Posted by Justin Koivisto on 11/05/80 11:16

dracolytch wrote:

> Keep in mind that you'll want your flash animation on a secure page,
> not just a plain HTTP intro page. If you don't then you'll be sending
> usernames and passwords as plain text, and that's a notable security
> hole for a site you want to secure.

Not true... as long as the flash is communicating with a PHP script that
is itself under SSL, then the communication between them is encrypted.
The same applies for normal HTML forms. If you fill in a form from
http://example.com that posts to https://example.com, then the posted
information that is sent in the request would be encrypted since the
connection itself would be.

> I've worked on systems that required server-dialog authentication, and
> ones that simply had the site on https, that I've built my site
> authentication on top of. From a user-friendliness and flexibility
> perspective, I prefer the second technique.

I also prefer to use my own authentication model, it just makes
debugging easier.

> I usually build sites that require fairly flexible/robust role-based
> permissions anyway, so with the second technique I start with a clean
> slate instead of having to interface with aonther system to track
> usernames/passwords/etc. and then extend.

Same here.

--
Justin Koivisto - justin@koivi.com
http://koivi.com

[Back to original message]