Quick tip for keeping track of users in your application

Just recently had an FMS connection hijacker so I thought I'd share a quick tip here.

There are a lot of times when I'll release something out to a bunch of users or even just plain publicly and I want to know where people are coming from. Now, you may be thinking at this point "Why would I want to know where they are coming from when it's my own app?", here goes an explanation :)

Well, with FMS applications it's very easy to actually just connect up to them by taking apart an original application with Actionscript Viewer or something, keeping the basic framework in place and putting your own graphics in or whatever. So essentially what somebody may do is steal connections on your server by hijacking your SWF. Or they may just copy the SWF from their cache and place it on their own site.

Now, if you were really good, you would already have lots of security in place (check out my security preso if you are interested in that area maybe) and don't need to do what I'm about to suggest. But also perhaps you want to see how far your apps make it in the wide world web. For example, I have a "Moving Words" application that was originally placed on this site (doesn't seem to be there anymore though... but I have a copy of it here) but has made it to other sites by people copying out the SWF and putting it on their own site! I don't really mind though, so it's fun watching it go places.

So for example, you have an app, people are using it where you put it, but some decide to either put it on their own site and pretend they made it or something, or more malicious users will decompile the SWF and really change it to make it their own. The first group isn't so bad I think, it's the second group that really makes me shake my head.. anyways, this is how you catch them.

At the top of your main.asc file on the server side, put this in:

application.allowDebug = true;

This will allow you to "debug" your applications. The reason we need this is so we can view shared objects that are on the server in that particular application in the administration panel.

Next up is the creation of the shared object on the server side:

application.onAppStart = function(){
this.usersID = 1;
this.usersSO = SharedObject.get("users", false);
}

We are creating a usersID value to give to every user that connects up a unique ID for every user (useful later) and also creating the Shared Object that is non permanent. You can make it permanent if you want I suppose..

Now, when a user connects up:

application.onConnect = function(clientObj){
clientObj.uniqueUserID = this.usersID;
clientObj.connectStartTime = new Date();
//set the shared object
this.usersSO.setProperty("user"+ this.usersID, clientObj);
this.usersID++;
}

We set some values here to let us know what the client's unique ID is and when they connected to the application. Then we place the client object itself in a slot in the shared object. Once we have done this, we can then go to the administration panel and just click on the shared objects tab, click on the shared object and all of our users with all their info will show up. The key one we want in this instance is the "referrer" value. This will give you the URL where the user is coming from! That's it. Quite useful I have found, just thought I'd share.

Make sure to delete the entry from the Shared Object when they disconnect though:

application.onDisconnect = function(clientObj){
this.usersSO.setProperty("user"+ clientObj.uniqueUserID, null);
}

Posted by Graeme at September 7, 2006 12:46 PM