Application Security for Flex when ssl is not available


So I know the best practice would be to run my Flex app over ssl along with implementing other forms of security however that isn't an option at this point (for monetary reasons and the app simply doesn't need that much security otherwise my sponsors would pay for it). However, I would like to implement some form of security and I'm wondering whether it's even worth it when I don't have ssl to protect the transactions.

So my setup is that I have a ASP.Net server side with a Flex UI. Right now the UI is the only thing that protects access to the sever: the server doesn't do any sort of verification during each request, it just assumes the person is allowed to do it. Obviously, anybody could write a program to generate posts (even if I could use SSL it would be like swiss cheese). Like I said before, security isn't a big deal, this is an internal app and it's nothing critical, however I do believe in doing things right. Would keeping the user info in session be a viable option and then verifying that the given user has permission, etc. Perhaps some sort of token system?

What would your preferred method of protecting this setup be?

...and no, I won't give you the url :)

ASP.NET Session itself is token based security and yes you can easily implement that by doing


and yes, any web method requires login to be done first, it should call User.IsAuthenticated, that verifies the session token.

You can easily implement form authentication (let web.config empty, you can use FormsAuthentication in code).

for example,

public string DoLogin(
    string username,
    string password)

    //.. do your verification
    return "Login Sucessful";

public string ChangePassword(
    string oldPass,
    string newPass)
     // verify user is logged on or not..
          return "Please Login";
     // The code below is secure, only
     // authenticated user will go through below
     // change pass...

     return "Password Changed Successfully.";

We developed many Flex+ASP.NET sites, we did exactly same thing, but instead of return "string" we usually return a class like following...

public class WSResult<T>{
     public bool Successful;
     public string Message;
     public T Result;
     public T[] Results;

The convention is simple, if method was successful then you return Success = true, and depending upon whether you want to return an array of items or just single item, you can return either Results or Result. In case if there has been any error or unathorized access you can set Successful=false and set Message as detailed string. As per following example.

public WSResult<BusinessUser> DoLogin(
    string username,
    string password)
       BusinessUser user = BusinessUser.GetByUsername(username);
            throw new Exception("User not found");
       if(user.Password != password)
            throw new Exception("Password did not match");
       return new WSResult<BusinessUser>{ Result=user };
    }catch(Exception ex)
        // this will even catch any DAL exceptions or any system error as well
        // Log Exception... somewhere for tracking...
        return new WSResult<BusinessUser>{ Successful=false, Message = ex.Message };