If you run your own server or even just use a shared hosting account for your Flashcom applications then you should be aware of the fact that anyone who can guess or indeed spy on your connection string can connect and abuse your bandwidth and connections. In this tutorial I show you one way of making live a little bit harder for these hijackers.
Please note that ideally you would be using the <Allow>mydomain.com</Allow> tag in vhost.xml but this can sometimes be a bit awkward especially on a development server.

Whenever a client (Flash movie) connects to your application it will invoke the application.onConnect method on the server. We will use this method to authenticate the movie, basically making sure that it is allowed to connect.

Let's have a look at the following serverside script which is located inside main.asc. This script can authenticate multiple domains.




The first line loads your components, you can omit this line if you are not using any pre-built communication components in your movie.

This is followed by the onConnect method which receives one parameter: client_obj
The client_obj parameter must always be passed in order to assign the client to the application. You can extend this function to receive as many parameters as you like but for our needs the client_obj is sufficient.

We then declare our allowed domain, once with www prefixed and once without. It is set up to accept connections fromvarious variations of flashcomguru.com but you must change this domain to the one of your own website - doh! Also make sure you write it in lowercase.

We then read the referrer and converts it to lower case (just to be safe).
var theReferrer = client_obj.referrer.toLowerCase();

What follows is the actual comparison between our allowedDomain and the domain of the swf that is trying to connect. We do this by looping over the domainList array and check if our allowed domain is a substring of the referrer. We also make sure that the match is in position 1 and not further along.
if (challenge == 0) {...
Thanks to Brian Lesser for spotting this one.

The rest is fairly self explanatory. If we find a match we set a variable acceptit to 1. In the if statement that follows we decide - based on the value of acceptit - if we accept or reject the connection.

Please note that this method does not require any scripting on the client side (inside your swf file) but it is not as secure as using the <Allow> tag in vhost.xml.

If you are looking for a few more advanced ways of authenticaing a user I can highly recommend Kevin Towes' book 'Flash Communication Server MX'.
He provides code listings on his side including this one which authenticates a user through FlashCom via Remoting to an Access database.
Another great read is Bill Sanders' book out of the Reality Series - one of my favourites on Flashcom.

A slightly easier way is to use a serverside array of valid passwords as described in chapter 11 of his book. You can find the code for it here. However this might be easily hacked with an Actionscript decompiler.


Have fun.