Passing flash variables to CF

[Paul Galloway]

All the ways I've found so far of passing variables back to CF from flash seem
to involve either getURL with POST/GET or the loadvars method. This seems to
inevitably require a page refresh which I would like to avoid if possible.

The other issue is that the variables are presented to CF as form variables
which leaves the CF page vulnerable to cross site attack. Ideally I want the
swf embedded on my page to be the only way of passing data through to my CF
handling page.

Is this possible?

[Ian Skinner]

Paul Galloway wrote:

>
> Is this possible?
>

NO!, unless you want your SWF to *only* be accessed by a user sitting in
front of the server. Saying 'form variables which leaves the CF page
vulnerable to cross site attack' is the same as saying, 'making a web
site leaves me open to web site attacks.' Basically a true statement,
but following best practices of coding web applications can mitigate.

Having said all that, I think you may want to be looking at Flex and
ColdFusion. Flex uses the Flash client to work with server back ends.
This allows one to use AMF channels to pass data between the server and
the client. While this will not prevent cross site attacks, one still
needs to be intelligent in how one builds ones sever side code. It does
give one more direct client and server communications without client
refreshes and the server can push data to the client.

[Sauleve]

Well the issue I'm trying to mitigate is that the user downloads my swf,
decompiles it, looks at my actionscript which shows

on (press) {
dataOut = new LoadVars();
dataOut.credits = credits;
//Using send ( ); method to send the data
dataOut.send("http://mysite.com/cashout.cfm", "_self", "POST");
}

and simply creates a form to submit form.credits field to my form handling
page. If they are a registered user correctly logged in using session variables
this goes through just fine. Is there a way of knowing that the variables are
being passed from an instance of the swf on my domain?

[Ian Skinner]

Sauleve wrote:

> and simply creates a form to submit form.credits field to my form handling
> page. If they are a registered user correctly logged in using session variables
> this goes through just fine. Is there a way of knowing that the variables are
> being passed from an instance of the swf on my domain?

Not really, a post is a post. You could check the cgi scope for the
referer IP address. This can be spoofed but at least it cuts out the
lazy folks.

You can use the session to count the number of posts of the form and
only allow a legitimate number per session.

You can set a session scope variable when the swf is delivered and only
allow one submit per unique session value.

But thanks to the stateless nature of the HTTP protocol client-server,
request-response world of internet applications, you can never *really*,
_absolutely_ know that this request has anything to do with any other
previous request. There are some extras bolted onto the protocol to
make it more likely that this request is related, but they are all
spoofable.