Using sessions & tricking Basic Authentication

TravisN.

Boban posted this info about sessions, php and flash in the old forum.

I think I found explanation about sessions problem. This seems to be the Flash Cookie Bug described here:

http://swfupload.org/forum/generaldiscussion/383

There seems to be no solution yet. Flash is reading IE cookies besides it runs from Firefox or other non IE browser. I am not sure if Adobe released a fix for this.

Some more information about Flash upload cookies issue can be found here:

https://bugs.adobe.com/jira/browse/FP-1044

Steps to reproduce:
1. Start a packet capture tool to watch the traffic between browser and remote web server.
2. Start up your Flex application
3. Perform an action which results in Flash performing a request (POST) to a secured resource.
4. Dialogue box pops up, you enter your username + password.
5. Authentication is performed correctly (can also tell by watching packet capture).
6. Do a Filereference.upload within your Flash/Flex application (to a resource secured within the same security realm).
7. Request fails, authentication error.
8. Look at the packet capture.... Flash discarded all cookies and authentication information when doing the file upload.

Conclusion:
Unlike a browser file upload, Flash does not support authenticated file upload.

Isn't it time to fix this one. It's been there since Flash 8 when you introduced the feature and this is a major showstopper for usage on sites that require login. The URLStream class doesn't seem to have any of these issues it retains cookies, basic authentication information and works over SSL.

SOLUTION

In your PHP file which includes .fileUpload, put this:
[code=php]session_start();
$_SESSION['mydata'] = 'whatever'; [/code]
Within your fileUpload parameters, add this one:
[code=php]'scriptData': {'session_name': '<?= session_id</span>(); ?>'} [/code]
Then in upload.php you can get your session data this way:
[code=php]session_id($_GET['session_name']);
session_start();
if ($_SESSION['mydata'] != 'whatever') {
header("HTTP/1.0 404 Not Found");
exit;
} [/code]

BASIC AUTHENTICATION
I don't think you could use this to trick Basic Authentication because this is done with GET method and basic authentication is sent by request headers and checked by your Web server.

You can use two solutions.

1. Continue using Basic Authentication but put upload.php script outside of protected directory and use sessions security like I described above. So, all my multi upload files reside inside protected directory, except upload.php which resides outside of it, but it is protected by sessions.

2. Another way is to authenticate user in PHP and use sessions in all scripts.

webmentors

The example will not work if session_auto_start=on on the server

in thats the case try:

'scriptData': {'PHPSESSID': '<?php echo session_id();?>'},

PHPSESSID is the default session name for php. Check what is yours before using it

drh

I'm working with Zend Framework under session based authentication (with session_auto_start on) and I was able to get this working by adding the javascript parameter webmentors suggested...


'scriptData': {'PHPSESSID': '<?php echo session_id();?>'},

...and writing a controller plug-in to check for this variable and restart the session as needed so authentication could be done successfully.

Plug-in


<?php
/**
 * @see Zend_Controller_Plugin_Abstract
 */
require_once 'Zend/Controller/Plugin/Abstract.php';

/**
 * Controller plugin that restarts the session for Uploadify.swf calls
 */
class Application_Controller_Plugin_Uploadify extends Zend_Controller_Plugin_Abstract
{
    /**
     * PreDispatch Hook.
     *
     * Checks to see if the current request has been made by the Uploadify.swf file
     * if so restart up the php session and continue on
     *
     * @param Zend_Controller_Request_Abstract $request
     * @return void
     */
    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {
        $phpSessId = $request->getParam('PHPSESSID');
        if (!empty($phpSessId) &amp;&amp; session_id() != $phpSessId) {
            session_destroy();
            session_id($phpSessId);
            session_start();
        }
    }
}

Also worth noting, Uploadify has no trouble dealing with Controllers/Actions for the 'script' parameter, e.g.


'script' : '<?php echo $this->url(array('controller' => 'upload', 'action' => 'handle-file-upload')) ?>',

Hope this helps anyone else working under similar circumstances.

battcor

Upon testing, .htaccess might solve the problem. It removes authentication for that certain file and prevents firefox from crashing.

I create .htaccess file within the same folder with my_uploader_script.php Below is my .htaccess

Satisfy Any

http://topeinthehouse.blogspot.com/2009 ... e-bug.html

fermar

I needed (wanted realy) to add the code .uploadify({ in a .js file, not in a .php.... so, this is what I did:


var start = document.cookie.indexOf(\"PHPSESSID=\");
var end = document.cookie.indexOf(\";\", start); // First ; after start
if (end == -1) end = document.cookie.length; // failed indexOf = -1
var cookie = document.cookie.substring(start+10, end);

$(\"#someid\").uploadify({
.
.
'script'           : 'upload.php',
'scriptData'     : { 'PHPSESSID': cookie },
.
.
});

and in your upload.php :


session_id($_POST['PHPSESSID']);
session_start();
.
.

note: your session name may vary, I'm using the default "PHPSESSID"

thanks for the solution.

simo

Hi,

I use the trick below. I'm able to retrieve my session_id but I don't get my cookie value :

In my upload.php I have

session_id($_POST['PHPSESSID']);
session_start();

echo \"cookie value : \" . $_COOKIE['mycookie'];

But cookie value is just empty. Any help is most welcome.
Thanks,

simo

lperry65

This will not work if your javascript is in an external file. PHP will not parse a .js file

navigrassor

So that's where my problem was!

cheap xanax
zolpidem

zluiten

This sort of works for me, but not completely.

uploadify.php:


session_id($_POST['PHPSESSID']);
session_start();

upload.js:


$("#someid").uploadify({
'script' : 'uploadify.php',
'scriptData' : { 'PHPSESSID': '<?php echo(session_id()); ?>'},
});

Except it only works for the first file I upload. It seems the next time the script uploads it doesnt send de value 'scriptData' again... Anyone?

[Deleted User]

The user and all related content has been deleted.

hero888

After 4hours trying to resolve the problem, I added one parameter in the initialization of the function uploadify.
I wrote the javascript code in an echo and in the same file like the


<?php
session_start();
$id = session_id();
	echo "<script language='JavaScript'>
	$(document).ready( function () {

				$('#file_upload').uploadify({
				  'uploader'       : 'uploadify/uploadify.swf',
				  'script'         : 'uploadify/uploadify.php',
				  'cancelImg'      : 'uploadify/cancel.png',
				  'folder'         : 'uploads',
				  'multi'          : true,  
				  'method' : 'post',
				  'scriptData' : { 'PHPSESSID': '".$id."'},
				  
				  'auto'           : true,
				  'fileExt'        : '*.jpg;*.gif;*.png;*.php',
				  'fileDesc'       : 'Image Files (.JPG, .GIF, .PNG, .PHP)',
				  'queueID'        : 'custom-queue',
				  'queueSizeLimit' : 1,
				  'simUploadLimit' : 1,
				  'removeCompleted': false,
				  'onSelectOnce'   : function(event,data) {
									  $('#status-message').text(data.filesSelected + ' files have been added to the queue.');
									},
				  'onAllComplete'  : function(event,data) {
					  $('#status-message').text(data.filesUploaded + ' fichiers envoyés, ' + data.errors + ' erreurs.');
					}
				});				
	
	});
	</script>";

		?>
		
<div class="upload">
        <div id="status-message">Select some files to upload:</div>
<div id="custom-queue"></div>
<input id="file_upload" type="file" name="Filedata" />        
</div>

And then, in the uploadify.php


<?php
$id = $_POST['PHPSESSID'];
			session_id($id);
			session_start();
?>

Howdy, Stranger!

Categories