How to authenticate desktop FLEX/AIR app with a remote server (CAKEPHP)?

Question

I have an Adobe AIR/FLEX app packaged as a native installer application running on the desktop. From there, I need to do the following: a) stay in the "app:" application sandbox so I can load "file://" JPGs into my mx:HTML control b) authenticate with my server (CAKEPHP) to get a valid CAKEPHP Session Cookie, and c) securely GET/POST XHR requests from javascript.

Can I authenticate using something like OAUTH or Facebook Connect without losing the application sandbox? It seems if I redirect from my mx:HTML, I lose my local privileges.

Can I authenticate with my server using a different sandbox (remote?) and safely pass the Session Cookie to my application sandbox?

Are either of these methods safe against scripting attacks?

Answer 1

Can I authenticate using something like OAUTH or Facebook Connect without losing the application sandbox? It seems if I redirect from my mx:HTML, I lose my local privileges.

Can I authenticate with my server using a different sandbox (remote?) and safely pass the Session Cookie to my application sandbox?

I don't know Air/FLEX but certainly you can integrate OpenID / OAUTH / Facebook Connect into your cake application's registration / login screen with no problems, and then use it to authenticate your users.

I wouldn't redirect, rather use post/get methods to send login data to the cake application (users/login), ensure there's no views/layouts being rendered for login() and return the user session data (json_encode the $this->Auth->user).

Are either of these methods safe against scripting attacks?

They can be if you ensure the login() function is only reachable by the application, perhaps send a unique identifier, encrypt the data (via SSL or just serialize it). Also put in standard checks for XSS, methods to delay bruteforce and cake actually has some good sanitize methods for dealing with injectons (usually enabled by default).