Remoting authentication works with an AMF header called SetCredentials, containing an object with keys username and password. AMFPHP uses this information to call the _authenticate function, and set up the current user’s role. The problem is that for some reason, headers are persistent across a NetConnection when they are client initiated. This means that as soon as you call service.connection.setCredentials, the username and passwords are automatically added to every subsequent AMF message sent. Three issues: first, the username and passwords are sent in the clear several times, with obvious security consequences, similar to the standard http-auth issues. Second, even if you hit Authenticate::logout on the server, the user/pass is still in the following AMF messages, meaning _authenticate will be called UNLESS setCredentials is called. Third, the user is authenticated on every call, meaning extra stress on the database.

So here’s what AMFPHP does now. We cannot force the client to drop a header; however we can force a client to set a header to a specific value (see mx.remoting.Connection). So you will see an extra enigmatic trace in the NetConnection debugger: AddHeader Credentials AMFPHP _ CLEARED _ LOGIN. In fact AMFPHP is telling Flash to set the Credentials header to this dummy value, overwriting the login info once _authenticate has been called. From that point on AMFPHP will check the SetCredentials header for this particular value and skip _authenticate calling if it’s the dummy AMFPHP _ CLEARED _ LOGIN string. That means that credentials are set only once thanks to this hack, thus solving simultaneously problems 1, 2 and 3. Calling service.connection.setCredentials again will modify the header, call _authenticate and then once again AMFPHP will ask the client to clear the header. Note however that this requires the use of mx.remoting.Connection or at another Remoting wrapper that can handle server-initiated SetHeader calls. Also, note that if you upgrade you may find that you will have to tweak your ActionScript and PHP slightly as this deviates significantly from the standard behaviour.

Grab the latest AMFPHP version here. Note: I just bought the Captivate license, thanks! Now all I need is a decent microphone. AMFPHP 1.0 is currently feature complete, I’m waiting on bug reports and docs for release.