I just wanted to extend from my previous discussion about session information being lost when using SWFupload - an uploader that uses Flash as a method of uploading a file via HTTP allowing the user to see the progress of the upload.
The reason for the new topic is because this issue relates to the Flash Player in specific rather then just SWFupload. This issue is also related to CI because by default it uses Cookies to handle session information.
I found a great post just recently about this issue on the SWFupload forum but through I would let people on here know about it as well because it will extend to other sites utilising http requests via flash.
Please note this is all just based on my own research.
The Problem - IE
When Flash is used to make a http request to your CI site in IE7 the session for the logged in user/current session is lost. The reason for this is because Flash makes the http request with a different User Agent to IE causing CI to re-issue a new session cookie for Flash.
This looks to be an ok practice but from what I can evaluate Flash uses the IE cookies directory for storage and hence replaces your current IE session cookie with the new one for Flash.
I thought that making the $config[‘sess_match_useragent’] variable set to false would fix this but it doesn’t. Reason being from what I can see is that flash doesn’t at first check if there are any current cookies for it to use for the site and requests a new one from CI.
The Problem - Firefox / others
It seems that there is no problem in Firefox and but there is. The reason why other browsers (in a Windows environment) don’t see these problems is because Flash in these browsers still uses the IE cookies. eg. I log into site with IE and leave it open then open firefox and login and then upload via flash I stayed logged in in Firefox but IE has been logged out.
A possible fix
The first problem to solve is that Flash when uploading doesn’t have a session to give to CI meaning when uploading it’s treated as a new user - not the current user. The way I have worked around this is the usuage of a ‘token’ that is sent as a POST variable (you could use a uri segment) from the first function (where flash is located) to the second function. You could use the session ID but keep in mind that it is changed every few minutes and will be cleared after the issue of the new one. This first fix is really dependant on your own application/database structure.
The second fix needed is to stop the overwriting of this cookie and the best way I have found is to not issue one at all. Personally I do not like the following fix and would like to see some better suggestions but it does work for me for in the meantime.
In your sessions class you need to change the following line in the CI_Session function that is run on object construct:
$this->sess_run();
with
if (! stristr($this->CI->input->user_agent(),'shockwave')) {
$this->sess_run();
}
I know,it is a security risk, but the security measures should mirror the importance of the website. So I don’t care. Since I use the DB to store session data one could match the IP from the flash session and compare it with the IP of an already logged in user and see if they match, also the last_active could be checked to see if they are at least within e.g 15min of each other.
