Well not quite but almost. Here’s my dilemma, I have a flex app that allows the user to upload files. My backend PHP script utilizes session variables to ensure the user has the appropriate credentials before proceeding with the upload. When ran under a firefox browser, it appears as though a brand-new session is created when flex calls the upload.php script.
Here’s a recap..
1) Flex app uploading a file via file.upload(request,"upload")
2) Upload.php check requires existing session vars to be present
3) When invoked via firefox upload.php has NO existing session variables
4) IE works great!! Yep, I can’t believe it either.
It *is* possible to pass the php session information (print("?".session_name().'='.session_id());) to the upload script but that’s not a viable option due to security concerns.
For now, I’ve coded up a hack around this problem, but I’m hoping to have some more time in the near future to investigate further.
Bryn Jones
September 16, 2008 at 11:47 am
Hi Joshua,
I’m faced with the same issue as you – would you mind sharing your hack to resolve this issue?
Many thanks,
Bryn.
iongion
November 16, 2008 at 6:29 am
Hi,
“It *is* possible to pass the php session information (print(“?”.session_name().’=’.session_id());) to the upload script but that’s not a viable option due to security concerns. ”
Why is that so unsecure ? Do you think cookies are safer in this regard ?
Basically your server takes input from REQUEST composed of GET/POST/COOKIE … no matter where you put the session_id, it still must be sent from a public part so i still wonder, why does it seem unsecure, maybe i am missing something.
ralph
February 10, 2009 at 3:49 am
i also have this problem with my flex uploader. i noticed that if you open upload.php file on browser it reads the session but with flex it wont..