Sessions and uploadify
Usually the session ID won't be read from POST.
You could do this:
$_COOKIE['PHPSESSID'] = $_POST['PHPSESSID'];
session_start();
How to pass the session cookie to Play via Uploadify?
Well, if you're using httpOnly
configuration (and you should!), then it's impossible to pass Play's native auth cookie to uploadify.
What I did was:
1. Not secure the Images controller with @With(Secure.class)
, but instead use a before method
:
@Before(unless = "uploadPost")
public static void before() throws Throwable {
Secure.checkAccess();
}
2. Pass along two parameters from the controller that renders the page hosting the uploadify plugin: userId, and signedUserId
String userIdSignature = Crypto.sign(Long.toString(user.id));
render(..., user.id, userIdSignature);
3. Pass these two parameters to uploadify, and to the uploadPost
method
public static void uploadPost(Upload upload, long userId, String userIdSignature) {
assertEquals(userIdSignature, Crypto.sign(Long.toString(userId)),
"Failed to authenticate user ID " + userId);
If for some reason you don't want the client to know its user ID, an alternative to signing is encrypting the user id.
Note that you are still exposed to replay attacks using this method, but I believe this is a general problem with Play (I could be mistaken about this). You can add an expiration date to the signature to limit the damage.
Uploadify is destroying session before upload
Have you tried replacing the PHPSESSID
with sec_session_id
?
$(function() {
$('#file_upload1').uploadify({
'formData' : {
'<?=session_name()?>': '<?=session_id()?>',
'timestamp' : '<?php echo $timestamp;?>',
'token' : '<?php echo md5('unique_salt' . $timestamp);?>'
},
'swf' : 'uploadify.swf',
'uploader' : 'uploadify1.php?id=<? echo $id; ?>&state=<? echo strtolower($state); ?>'
});
});
On top of your PHP: session_id($_POST['sec_session_id']);
Also, session_name($session_name)
should be executed before session_set_cookie_params
.
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
session_name($session_name); // Sets the session name to the one set above.
$secure = false; // Set to true if using https.
$httponly = true; // This stops javascript being able to access the session id.
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
session_set_cookie_params(86400);
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_start(); // Start the php session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
Passing $_SESSION in uploadify
Insecure it is:
Send the session id with the request and have the server use that session id (if sent).
When I used a swf uploader, I did that. Something like this:
if ( !empty($_POST['sess']) ) {
session_id($_POST['sess']);
}
session_start();
And on the page you make the request, you get the session id with:
<?php echo session_id(); ?>
Should work, but is not very secure either. My advice: don't use a swf uploader =) HTML5 introduces accept="mimetypes"
and multiple
as file input attributes. See the specs. If the client doesn't support HTML5 like this: too bad
Uploadify with Codeigniter 3 loosing cookie/session
Uploadify doesn't pass the current session information. Codeigniter has changed the way cookies/sessions are handled. So, your jquery cookie fetch won't work.
You try to carry the session like this:
'formData':{'bizid':<?=$biz->id?>,'browser_cookie':<?php echo 'your session here'?>},
Then in your controller, you can verify if the session exist. And if not, just set a new session then use it. This should work just fine.
Can't see any session values when using Uploadify in ASP.NET
Have you read this post in Uploadify's manual about a bug in flash that prevents it from posting a session variable.
Related Topics
How to Measure the Strength of a Password
How to Redirect a 404 Error in a Custom 404 Page Using Codeigniter
Kill MySQL Query on User Abort
Add Column to Magento Admin Catolog > Manage Products
What Is the Mm/Dd/Yyyy Regular Expression and How to Use It in PHP
Cannot Figure Out How to Run a MySQLi_Multi_Query and Use the Results from the Last Query
Certificate Error Using Imap in PHP
Include PHP File into HTML File
Curl File Uploads Not Working Anymore After Upgrade from PHP 5.5 to 5.6
Sending Data Using Post in Python to PHP
JSON: PHP to JavaScript Safe or Not
How to Upload Multiple Image in Laravel
Recreate Original PHP Array from Print_R Output
Phpexcel Download Using Ajax Call