Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ld like to use the Flash AS3 shared object (“Flash cookies”) to store a password in.
Is it safe by default or do I need a technique to encrypt it?
I couldn’t find informations about anybody can lookup what shared objects are set by Flash and what content is inside.
Any information is pretty welcome.
Uli
A general rule is that anything stored on the client can be lifted from the client unless some form of shared encryption is used (HTTPS, for example). With Flash, this is doubly true — Flash is very simple to decompile and SharedObjects work while offline, which means that if you can spoof the site of origin, you can read the object. It would take me about 30 minutes, but I suspect I could render every shared object on my machine as a human-readable JSON.
If you must store a password or username on the client, then store it in some form of one-way encryption like SHA or (if you’re in a bind) MD5. The as3crypto library is here. But, remember, someone client-side can still grab that value and copy it to another machine.
A couple of asides: SharedObjects are not new in AS3. I remember using them in legacy AS2 libraries. Second: there is little to be gained by use of SharedObjects I’ve found them inconsistent between IE and the rest of the world. Of course, with Flash Projector, they are your only option. Another benefit of cookies is that cookies are far easier to secure as they can be validated server-side with two-way encryption. Definite bonus.