Uploadify

Boban posted this info about sessions, php and flash in the old forum.

I think I found explanation about sessions problem. This seems to be the Flash Cookie Bug described here:

http://swfupload.org/forum/generaldiscussion/383

There seems to be no solution yet. Flash is reading IE cookies besides it runs from Firefox or other non IE browser. I am not sure if Adobe released a fix for this.

Some more information about Flash upload cookies issue can be found here:

https://bugs.adobe.com/jira/browse/FP-1044

Steps to reproduce:
1. Start a packet capture tool to watch the traffic between browser and remote web server.
2. Start up your Flex application
3. Perform an action which results in Flash performing a request (POST) to a secured resource.
4. Dialogue box pops up, you enter your username + password.
5. Authentication is performed correctly (can also tell by watching packet capture).
6. Do a Filereference.upload within your Flash/Flex application (to a resource secured within the same security realm).
7. Request fails, authentication error.
8. Look at the packet capture.... Flash discarded all cookies and authentication information when doing the file upload.

Conclusion:
Unlike a browser file upload, Flash does not support authenticated file upload.

Isn't it time to fix this one. It's been there since Flash 8 when you introduced the feature and this is a major showstopper for usage on sites that require login. The URLStream class doesn't seem to have any of these issues it retains cookies, basic authentication information and works over SSL.

SOLUTION

In your PHP file which includes .fileUpload, put this:

Code: Select all

session_start();
$_SESSION['mydata'] = 'whatever'; 

Within your fileUpload parameters, add this one:

Code: Select all

'scriptData': {'session_name': '<?= session_id(); ?>'} 

Then in upload.php you can get your session data this way:

Code: Select all

session_id($_GET['session_name']);
session_start();
if ($_SESSION['mydata'] != 'whatever') {
        header("HTTP/1.0 404 Not Found");
        exit;
} 

BASIC AUTHENTICATION
I don't think you could use this to trick Basic Authentication because this is done with GET method and basic authentication is sent by request headers and checked by your Web server.

You can use two solutions.

1. Continue using Basic Authentication but put upload.php script outside of protected directory and use sessions security like I described above. So, all my multi upload files reside inside protected directory, except upload.php which resides outside of it, but it is protected by sessions.

2. Another way is to authenticate user in PHP and use sessions in all scripts.

The example will not work if session_auto_start=on on the server

in thats the case try:

Code: Select all

'scriptData': {'PHPSESSID': '<?php echo session_id();?>'},

PHPSESSID is the default session name for php. Check what is yours before using it

I'm working with Zend Framework under session based authentication (with session_auto_start on) and I was able to get this working by adding the javascript parameter webmentors suggested...

Code: Select all

'scriptData': {'PHPSESSID': '<?php echo session_id();?>'},


...and writing a controller plug-in to check for this variable and restart the session as needed so authentication could be done successfully.

Plug-in

Code: Select all

<?php
/**
* @see Zend_Controller_Plugin_Abstract
*/
require_once 'Zend/Controller/Plugin/Abstract.php';

/**
* Controller plugin that restarts the session for Uploadify.swf calls
*/
class Application_Controller_Plugin_Uploadify extends Zend_Controller_Plugin_Abstract
{
    /**
     * PreDispatch Hook.
     *
     * Checks to see if the current request has been made by the Uploadify.swf file
     * if so restart up the php session and continue on
     *
     * @param Zend_Controller_Request_Abstract $request
     * @return void
     */
    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {
        $phpSessId = $request->getParam('PHPSESSID');
        if (!empty($phpSessId) && session_id() != $phpSessId) {
            session_destroy();
            session_id($phpSessId);
            session_start();
        }
    }
}


Also worth noting, Uploadify has no trouble dealing with Controllers/Actions for the 'script' parameter, e.g.

Code: Select all

'script' : '<?php echo $this->url(array('controller' => 'upload', 'action' => 'handle-file-upload')) ?>',


Hope this helps anyone else working under similar circumstances.

Upon testing, .htaccess might solve the problem. It removes authentication for that certain file and prevents firefox from crashing.

I create .htaccess file within the same folder with my_uploader_script.php Below is my .htaccess

<Files "my_uploader_script.php">
Satisfy Any
</Files>

http://topeinthehouse.blogspot.com/2009 ... e-bug.html

I needed (wanted realy) to add the code .uploadify({ in a .js file, not in a .php.... so, this is what I did:

Code: Select all

var start = document.cookie.indexOf("PHPSESSID=");
var end = document.cookie.indexOf(";", start); // First ; after start
if (end == -1) end = document.cookie.length; // failed indexOf = -1
var cookie = document.cookie.substring(start+10, end);

$("#someid").uploadify({
.
.
'script'           : 'upload.php',
'scriptData'     : { 'PHPSESSID': cookie },
.
.
});


and in your upload.php :

Code: Select all

session_id($_POST['PHPSESSID']);
session_start();
.
.


note: your session name may vary, I'm using the default "PHPSESSID"

thanks for the solution.

Hi,

I use the trick below. I'm able to retrieve my session_id but I don't get my cookie value :

In my upload.php I have

Code: Select all

session_id($_POST['PHPSESSID']);
session_start();

echo "cookie value : " . $_COOKIE['mycookie'];


But cookie value is just empty. Any help is most welcome.
Thanks,

simo

This will not work if your javascript is in an external file. PHP will not parse a .js file