Through Flash's FileReference and FileReferenceList classes, you can create a powerful file uploader that allows the user to upload multiple files with a single form element. But beware: unless the user happens to be using IE, the upload will use a new browser session to upload the files. This means that if you require that a user be authenticated before uploading something (and you better be), the upload won't work - the request will be forwarded to the login form, or to wherever your system forwards unauthorized requests. This is a maddening bug to track down, and there is nothing you can do to make Flash use the right session. The work around is to send the session cookie in the url and, on the server side, use that to override the new (and wrong) session cookie sent by Flash. Here's how that works in symfony, although much of the following is useful for other languages or frameworks:
First, we have to tell our Flash component what the cookie is, so it can roll it into the URL. One solution would be to pass the session cookie as an argument in FlashVars, but then the user's session cookie is sitting unencrypted in the HTML, leaving them vulnerable to cross-site request forgery. Better to use javascript to fetch the cookie, and then put it in FlashVars. If you are using ufo.js, the first argument to UFO.create() should look like this:
{
movie: '/flash/uploader.swf',
id: 'uploader',
name: 'uploader',
flashvars: 'cookie=' + document.cookie,
// other options ...
}
Note that if you are dealing with multilple cookies, you will want to parse the output of document.cookie and send only the desired cookie.
Next, add the cookie to the URL in your ActionScript (this is for ActionScript 2.0):
var list:Array = myFileRefList.fileList;
var item:FileReference;
var url:String = _root.uploadURL + '?cookie=' + _root.cookie;
for (var i:Number = 0; i < list.length; i++) {
item.upload (url);
}
That does it for the client side. Now, we need to tell PHP to use our cookie instead of the one the browser sent. This does the trick:
list($cookieName, $cookieValue) = str_split('=', $_GET['cookie']);
session_name($cookieName);
session_id($cookieValue);
session_start();
If you are using symfony, things are a little more complex. We need to call session_name() and session_id() before session_start(); looking at the symfony source code, we find that session_start() is called in sfSessionStorage::initialize(). So a simple solution is to extend the sfSessionStorage class:
class mySessionStorage extends sfSessionStorage
{
public function initialize($context, $parameters = null)
{
if ( /* whatever the condition is when we want to do this */ ) {
if ($cookie = $context->getRequest()->getParameter('cookie')) {
$name = 'symfony';
preg_match('/^' . $name.'=(.*)$/', $cookie, $asMatch);
$value = $asMatch[1];
session_name($name);
session_id($value);
}
}
parent::initialize($context, $parameters);
}
}
Finally, tell symfony to use the mySessionStorage class by editting factories.yml:
all:
storage:
class: mySessionStorage
param:
session_name: symfony
And you're done! Clear your cache, and try it out. An easy way to check if it's working is to add the following line to the end of index.php (or frontend.php):
file_put_contents('testSessionOverwrite.txt', sfContext::getInstance()->getRequest()->getActionName());
Now try uploading a file. If the action name in testSessionOverwrite.txt is the action you're uploading to, you're golden. If instead it is the name of the action that authenticates users, you have a problem somewhere, and you get to have the enjoyable experience of debugging PHP without browser output. Remember to erase the debugging line from your front controller when you get everything working.
Next time, just make the users upload their damn files one-at-a-time...
9 Comments Add your own
1. rpsblog.com » A wee&hellip | September 10th, 2007 at 1:52 am
[...] Using Flash Upload with PHP & symfony [...]
2. Subiendo archivos con Fla&hellip | September 12th, 2007 at 1:08 pm
[...] este artículo del blog de Rob Rosenbaum se explican los pasos necesarios para corregir el problema de subir [...]
3. Usare flash upload da ute&hellip | September 27th, 2007 at 4:40 am
[...] http://robrosenbaum.com/flash/using-flash-upload-with-php-symfony/ [...]
4. ProDevTips - dev related &hellip | February 21st, 2008 at 6:06 am
[...] up on this without a little help. Why can nothing ever be simple? I was fortunate and quickly found Rob's Flash upload in Symfony article before I got too panicked. Empowered by the basic aha feeling I got from that piece I was able to [...]
5. thawootah | March 22nd, 2008 at 9:22 pm
Man I still cant get it to work its bugging me to no end.
I passed the session id into flash added it to the url and tried everything from session_id($_GET['PHPSESSID']) to your way.
6. droopy6 | April 10th, 2008 at 8:39 am
Currently I used Tomcat with realm authentication. FileReference does NOT loose cookies if you don't send "Pragma:no-cache" to the client. unfornutaly, Tomcat does this by default. So I created a J2EE filter doing this:
response.setHeader("Pragma","");
of course, to be able to disable caching, use the HTTP1.1 header:
response.setHeader("Cache-Control","no-store");
I hope this help you.
note: FileReference will never work in HTTPS to upload a file with firefox. The workaround is complex. I created a standard HTML form (visible !) with ExternalInterface (DOM/Javascript mud) at the top of the HTML Wrapper of my Flex app. When all is done, I remove it.
7. IllegalCharacter | April 15th, 2008 at 1:50 pm
Hey guys, thanks for the helpful script! Just wondering though, how secure is this?
8. junkie | November 13th, 2008 at 6:28 pm
what if the server regenerates session id with every request to prevent session fixation attacks?
9. VJ | May 29th, 2009 at 3:05 pm
Great tip. Thanks.
Leave a Comment
Please: No emoticons or excessive punctuation.Trackback this post | Subscribe to the comments via RSS Feed