PHPObject - Security

Protecting your gateway from unauthorized use
If someone knows your PHPObject Gateway's url, he can use your gateway (without permission) to consume web services (if you have the web services connectivity add-on) and to connect to your php classes (if he knows your class names and methods). This is possible using standalone flash player (that works outside the flash Security Sandbox) and is definitely not ideal.

The 'useKey' directive in PHPObject v1.3 is my first attempt to plug this security risk (this security issue is also present in mm's flash remoting). It is recommended that you specify a secret key in Gateway.php. All your flash movies will then have to specify this key when using the gateway.

Admittedly, the 'useKey' directive only reduces the risk, and not eliminate it. If for example, someone hacks your swf file and study your actionscripts, the key as well as php class names and methods could be revealed. Once again, this issue is not specific to PHPObject. Even if you do not use PHPObject, your swf files can still be hacked and the urls and variables extracted.


Disallowing standalone players to access your gateway
A 'disallowStandalone' property was added to the PHPObject Gateway in v1.4. If this property is set to 'true' (default is 'false'), the gateway will check if the USER AGENT is "Shockwave Flash" whenever a request comes through. The USER AGENT is "Shockwave Flash" if the request has come from a Flash player (either the authoring player or standalone player) instead of a browser Flash plugin, and the gateway will disallow access.

If you are deploying your Flash MX application in a web-only environment, you should set this property to 'true' when deployed (set it as 'false' only for easy testing from the authoring player during development).


See also
Link

>> Documentation <<