Securing Parameters

The "Basic integration" chapter has covered mechanism of data delivery from end client to authentication handler. All parameters in provided samples traveled through the system in plain text this way exposing user account information.

 Before moving to production one should consider building a secured authentication system based on parameters encryption. There are many different approaches to build such system and the one you choose will depend on your website structure and personal preferences.

The below diagram demonstrates one of the possible implementations:

Explanation:

1. In our example instead of plain UID as 2012 we use encrypted SESSION_ID  in Popup / embedded code ("Adding chat to your website section") . You may use any data and any encryption mechanism (MD5, SHA1 etc).

2. Encrypted UID is passed from chat server to handler.

3. Handler queries against database to find a match in sessions table using encrypted UID as a criteria.

4. The match found is returned to handler.

5. Handler uses incoming data to generate XML formatted response. If no match found handler sends authorization failed error.

6. Full profile is sent to flash client from chat server.