I just wanted to extend from my previous discussion about session information being lost when using SWFupload - an uploader that uses Flash as a method of uploading a file via HTTP allowing the user to see the progress of the upload.

The reason for the new topic is because this issue relates to the Flash Player in specific rather then just SWFupload. This issue is also related to CI because by default it uses Cookies to handle session information.

I found a great post just recently about this issue on the SWFupload forum but through I would let people on here know about it as well because it will extend to other sites utilising http requests via flash.

Please note this is all just based on my own research.

The Problem - IE
When Flash is used to make a http request to your CI site in IE7 the session for the logged in user/current session is lost. The reason for this is because Flash makes the http request with a different User Agent to IE causing CI to re-issue a new session cookie for Flash.

This looks to be an ok practice but from what I can evaluate Flash uses the IE cookies directory for storage and hence replaces your current IE session cookie with the new one for Flash.

I thought that making the $config[‘sess_match_useragent’] variable set to false would fix this but it doesn’t. Reason being from what I can see is that flash doesn’t at first check if there are any current cookies for it to use for the site and requests a new one from CI.

The Problem - Firefox / others
It seems that there is no problem in Firefox and but there is. The reason why other browsers (in a Windows environment) don’t see these problems is because Flash in these browsers still uses the IE cookies. eg. I log into site with IE and leave it open then open firefox and login and then upload via flash I stayed logged in in Firefox but IE has been logged out.

A possible fix
The first problem to solve is that Flash when uploading doesn’t have a session to give to CI meaning when uploading it’s treated as a new user - not the current user. The way I have worked around this is the usuage of a ‘token’ that is sent as a POST variable (you could use a uri segment) from the first function (where flash is located) to the second function. You could use the session ID but keep in mind that it is changed every few minutes and will be cleared after the issue of the new one. This first fix is really dependant on your own application/database structure.

The second fix needed is to stop the overwriting of this cookie and the best way I have found is to not issue one at all. Personally I do not like the following fix and would like to see some better suggestions but it does work for me for in the meantime.

In your sessions class you need to change the following line in the CI_Session function that is run on object construct:

with

Thanks! I agree the last suggested fix isn’t the best, but it works. Have been struggling with this for a couple of hours now

So what happens when the useragent comes through as “Adobe Flash Player 9” ????

Oh oooooh…

Ok now a couple of hours into this, would LOVE to see your upload code

coming through as Adobe Flash Player 9 won’t make anything happen, but coming through as Shockwave Flash on the other hand I know,it is a security risk, but the security measures should mirror the importance of the website. So I don’t care. Since I use the DB to store session data one could match the IP from the flash session and compare it with the IP of an already logged in user and see if they match, also the last_active could be checked to see if they are at least within e.g 15min of each other.

@a.somervell
Are you talking about the upload code used with SWF uploader?

It’s a happy man that gets all that working! haha (as I just did)

Hmm.. thanks for the posts fellas.
Has anyone gotten this to work with CodeIgniter?

I’ve done the following:

In the controller:

In the view

And in the system/libraries/Session

But the session in the flash and session in my web app don’t correspond to each other (i.e. flash doesn’t seem to think that the user is logged in when in fact the user is)

solution found yet?

Yes… you have to pass the session ID to OFC, save it to DB, and work around it.
There’s no fix for this nor will there be (from what it seems like)

Help

if (! stristr($this->CI->input->user_agent(),‘shockwave’)) {
        $this->sess_run();
      }

A PHP Error was encountered

Severity: Notice

Message: Undefined property: CI_Session::$CI

Filename: libraries/Session.php

Line Number: 20

A PHP Error was encountered

Severity: Notice

Message: Trying to get property of non-object

Filename: libraries/Session.php

Line Number: 20
Fatal error: Call to a member function user_agent() on a non-object in Session.php on line 20

You haven’t missed this part?

Note that it’s not a good idea to modify core classes this way. If you need this, you are better off extending them.

This is sort of an old topic. Not the most secure way, but I did this by setting a random code in the config and posting that random string with the flash upload. You may also want to look at the CI 2.0 (I realize CI 2.0 wasn’t available at the beginning of this thread) csrf_protection. Once again not the MOST secure method, but would probably be good enough for most needs. Especially if the users have to be logged in in the first place to access those particular features.

Update for CI Version 1.7.x and 2.0.x:

You must add session id into view file as an paramater:

After that, setting up in your config file as given below:

Because $this->sess_run(); command was removed new versions.

Fatih - 04 May 2011 03:08 PM

Update for CI Version 1.7.x and 2.0.x:

You must add session id into view file as an paramater:

post_params: {"PHPSESSID": "<?php echo  $this->session->userdata('session_id');?>"}, 

After that, setting up in your config file as given below:

$config['sess_match_useragent']    = FALSE; 

Because $this->sess_run(); command was removed new versions.

Do you still need to do something to the Session library?

My problem is that I’ve upgraded to CodeIgniter 2 and SWFUpload started throwing 302 errors because of the same old session id problem I had fixed with this forums help with CI 1.7. Now it seems I have to spend a day doing this all over again :/

My main problem seems to be initializing the session with the original session id that’s been passed on in the POST.

I’d really appreciate if you could briefly explain if you did any other changes to your controller of Session library for CI2.

Thanks!

villlllle - 10 May 2011 09:10 PM

Do you still need to do something to the Session library?

My problem is that I’ve upgraded to CodeIgniter 2 and SWFUpload started throwing 302 errors because of the same old session id problem I had fixed with this forums help with CI 1.7. Now it seems I have to spend a day doing this all over again :/

My main problem seems to be initializing the session with the original session id that’s been passed on in the POST.

I’d really appreciate if you could briefly explain if you did any other changes to your controller of Session library for CI2.

Thanks!

@villlllle: I didn’t change anything in my session libraries. But I changed on my application/config.php file:

Because I read about many posts that IExplorer doesn’t like some session names (like that “ci_session”).

IE Does not like the underscore!

InsiteFX