I'm writing an application to load, edit and save xml with a flash7 front-end using .net scripts to write the xml.
Here's the script I'm using to save the xml:
private void Page_Load(object sender, System.EventArgs e){
String fileUrl;
String xmlData;
String returnToFlash;
fileUrl = Request.Form["fileUrl"];
xmlData = Request.Form["xmlData"];
StreamWriter sr = File.CreateText(Server.MapPath(fileUrl));
sr.WriteLine(xmlData);
sr.Close();
returnToFlash = "data=Success";
Response.Write(returnToFlash);
}
It's pretty simple, which is why I'm worried about the possibility of people 'spoofing' it with false data that hasn't come from my flash app.
There is a login script too which will (eventually) check the user credentials against a database to allow access. I was thinking that perhaps I should send these login credentials when saving a file to authenticate the user. Although I'm pretty sure there must be a better way to do it - ideally I don't want users to poll the database more than once per session.
This must be a problem that flash developers face all the time, I just haven't been able to find any articles on the topic (as I don't fully understand what I'm looking for!)
So my question is: What is the best way to secure access to this script without sending a username and password to check a database?
ThanksIt's a scary proposition when you are going to allow files to be uploaded to a web server. You should develop a strategy that allows you to upload files to a directory that only has Write permissions for the ASPNET/Network Service account as you want to prevent anyone from uploading an executable and being able to execute it.
That said, there is alot to security and this situation. I recommend you check out "Improving Web Application Security" and "Building Secure ASP.NET Applications".
I didn't consider the ASPNET/Network Service account permissions. They have already been set for me by hosting company for the directory I'm writing to. Perhaps this is enough?
Thanks for the links, I'll give them a read.
0 comments:
Post a Comment