I’m creating a flash application that will post images to a url for saving to disk/display later. I was wondering what are some suggested strategies for making this secure enough so that the upload is verified as coming from the application and not just some random form post.
Is it reliable enough to check referring location realizing that I don’t need bulletproof security, or perhaps setting authentication headers is a better strategy even though it seems unreliable from what I have read.
The application and the server script will reside on the same domain and is in java – is there a way to check for a ‘session’ or something like that?
Another thought I had was some sort of simple hashed key type system, I could hard-code a key into the flash application and pass something to the server based on that – the server would also know this key and be able to verify if the value passed was based on that?
Thanks for any advice and especially any examples – I am naive in this area -b
The app is a public app, so authenticating users is not an option. After more research I am thinking about using a hard coded salt key on both ends, then sending an MD5 hash of the base64 encoded image bytearray+salt to be matched on the server side. Any thoughts on this strategy?
Your question can be generalized to ‘How can I be sure the image is uploaded through my (flash) application?’. Answer is, it can’t. No matter what you do, a determined person can reverse engineer your application or watch the http traffic, and then use that information to create another client (applet/silverlight/html form/standalone program) to upload files to the server. At best, you can obscure to make things difficult. But that’s not security.
Instead, you should be asking ‘How can I be sure the image has been uploaded by an authorized person?’. This one is possible. The user has to authenticate over https, and then upload the file. Read OWASPs guide to session management for more information on how to solve this problem.