Flash Socket Security Tips?

I've been playing around with sockets for the past few days and have some questions about security. I am running Flash websocket on the client side and a PHP socket server on the server.

I have an app where users create private chatrooms. My question is, are there any security issues I should be watching out for? I am doing authentication on the chatroom page to make sure the user has the permissions to be there, etc.

Bu开发者_StackOverflowt is there anything I need to do on the websocketserver.php to prevent people from sending messages to a room if they don't have permissions to be there?

---

I am doing authentication on the chatroom page

What kind of "authentication"? A one time log in to serve the page? That would be basically zero security.

You have to issue some kind of token and send it at the start of the socket connection, then validate the connection server side (via the token) to make sure that it comes from an authenticated user. Otherwise, it would be quite easy to simply connect to your server and start sending messages.

A basic model could look like this

1. User logs in to the chat
2. Validate user data etc.
3. Issue a token for this user, store this token in the DB and send it to the page
4. Start your socket connection and send the token
5. Check the token in the websocket server and get the matching user
6. Now validate all actions against this users permissions

As for the lifetime of the token, it should be deleted as soon as the connection terminates.