Uploadify (Session and authentication) with ASP.NET MVC

Asked 13/11, 2009 at 13:24 Answered 24/1, 2013 at 11:34

Solved asp.net-mvc authentication session uploadify

When I use Authorize filter on an action or a controller used by uplodify (http://www.uploadify.com/) the action isn't reach...

moreover Session are not retrieved.

I found this to retrieved user session :

http://geekswithblogs.net/apopovsky/archive/2009/05/06/working-around-flash-cookie-bug-in-asp.net-mvc.aspx

But how to use it with [Authorize] filter and retrieved session ?

Vantassel answered 13/11, 2009 at 13:24 Comment(3)

This site is for questions and answers. Its fine to answer your own question or put knowledge-base type articles here, but phrase them in the form of a question and then respond to them with your solution in the answer. – Semela 13/11, 2009 at 13:27

You can't use AuthorizeAttribute and Session state in MVC? Are you sure about that? – Koziara 13/11, 2009 at 13:38

Sosh, did I write that?? – Vantassel 16/11, 2009 at 10:25

To correct this I propose you a solution... Send the auth cookie value and session id cookie value with uploadify and recreate it before session is retrieved.

here is the code to implent in the view :

<script>
    var auth = "<% = Request.Cookies[FormsAuthentication.FormsCookieName]==null ? string.Empty : Request.Cookies[FormsAuthentication.FormsCookieName].Value %>";
    var ASPSESSID = "<%= Session.SessionID %>";

    $("#uploadifyLogo").uploadify({
        ...
        formData: { ASPSESSID: ASPSESSID, AUTHID: auth }
    });

And then in Global.asax :

protected void Application_BeginRequest(object sender, EventArgs e)
    {
      /* we guess at this point session is not already retrieved by application so we recreate cookie with the session id... */
        try
        {
            string session_param_name = "ASPSESSID";
            string session_cookie_name = "ASP.NET_SessionId";

            if (HttpContext.Current.Request.Form[session_param_name] != null)
            {
                UpdateCookie(session_cookie_name, HttpContext.Current.Request.Form[session_param_name]);
            }
            else if (HttpContext.Current.Request.QueryString[session_param_name] != null)
            {
                UpdateCookie(session_cookie_name, HttpContext.Current.Request.QueryString[session_param_name]);
            }
        }
        catch
        {
        }

        try
        {
            string auth_param_name = "AUTHID";
            string auth_cookie_name = FormsAuthentication.FormsCookieName;

            if (HttpContext.Current.Request.Form[auth_param_name] != null)
            {
                UpdateCookie(auth_cookie_name, HttpContext.Current.Request.Form[auth_param_name]);
            }
            else if (HttpContext.Current.Request.QueryString[auth_param_name] != null)
            {
                UpdateCookie(auth_cookie_name, HttpContext.Current.Request.QueryString[auth_param_name]);
            }

        }
        catch
        {
        }
    }

    private void UpdateCookie(string cookie_name, string cookie_value)
    {
        HttpCookie cookie = HttpContext.Current.Request.Cookies.Get(cookie_name);
        if (null == cookie)
        {
            cookie = new HttpCookie(cookie_name);
        }
        cookie.Value = cookie_value;
        HttpContext.Current.Request.Cookies.Set(cookie);
    }

And voila, with that method it's totally transparent.

hope it help some!! ;)

EDITED : use formData instead of scriptData

Vantassel answered 13/11, 2009 at 14:19 Comment(13)

Thanks, this fixed the problem I was having with retreiving session data in firefox. – Membranophone 30/12, 2009 at 13:59

Indeed, this is extremely helpful: I thank you for it. I was figuring the problem must involve the way Flash retrieves session cookies (if at all), but I just didn't have visibility to what the heck was going on and until I saw this I never realized you could actually update the incoming cookie in this manner. You're a gorram hero, thanks. =) – Centipoise 4/6, 2010 at 15:8

Putting your sessionId in your script is a bad idea, as it makes it vulnerable to session hijacking (unless your serving your script over SSL). – Gunter 8/2, 2011 at 14:47

@Alex - Having a session without SSL connection to server is vulnerable to session hijacking no matter what. If a theoretical hijacker is looking at your unencrypted page text, with script, with sessionId, they could just as easily look at the cookies you transmit to the server with the sessionId to maintain that session in the first place. – Pia 18/2, 2011 at 1:17

@Adam Nofsinger - this is true, but no need to open yourself up more. With cookies you can set them to HTTPOnly (not full proof I know), but with script your opening your self to malicious js. Here is a similar response - that doesn't require the session ID to be in your js. #4538674 Sorry I don't mean to be picky, yours is a great answer (helped me out), but I've done a bit of security research recently and it caught my attention. – Gunter 22/2, 2011 at 8:59

+1000 for really helping me out. -999 for having two empty catch clauses. hurts my eyes... – Nuggar 11/9, 2011 at 8:53

See even more complete solution here. Hurrah! zootfroot.blogspot.com/2010/12/… – Dumah 9/12, 2011 at 20:38

That helped, thanks. If you want to encourage Adobe to fix this bug, here's a bug tracker link for this issue: bugs.adobe.com/jira/browse/FP-1044 – Fabian 10/1, 2012 at 19:11

If you've implemented this solution and Session.SessionID is still not being overridden by the POSTed value, try implementing a custom SessionIDManager. It worked for me. blogs.microsoft.co.il/blogs/dorony/archive/2008/02/15/… – Cadency 19/3, 2012 at 23:41

formData instead of scriptData for newer versions of Uploadify – Disentitle 15/8, 2012 at 16:24

i have a wierd issue, i have tried all the above options but i still not able to update cookie on server, but on my developer machine it is working fine. Anybody faced this kind of issue ?? and [my developer machine is just a replica of my server machine, so no config difference] – Veridical 22/2, 2013 at 16:3

It's worth pointing out @JeffBorden 's answer re: using formData instead of scriptData, because otherwise you'll wonder why nothing's working if you're using the latest version of Uploadify! – Countertenor 20/8, 2013 at 15:21

I am just updating an older site to use ASP.NET Identity and found similar code in the Global.asax.cs to handle sessions with flash... how would this code change to support asp.net identity authentication rather than forms? – Congregate 28/8, 2015 at 8:22

This solution works great. I translated the code to vb if anyone wants it:

    Protected Sub Application_BeginRequest(ByVal sender As Object, ByVal e As System.EventArgs)
    'we guess at this point session is not already retrieved by application so we recreate cookie with the session id...
    Try
        Dim session_param_name = "ASPSESSID"
        Dim session_cookie_name = "ASP.NET_SessionId"

        If Not HttpContext.Current.Request.Form(session_param_name) Is Nothing Then
            UpdateCookie(session_cookie_name, HttpContext.Current.Request.Form(session_param_name))
        ElseIf Not HttpContext.Current.Request.QueryString(session_param_name) Is Nothing Then
            UpdateCookie(session_cookie_name, HttpContext.Current.Request.QueryString(session_param_name))
        End If
    Catch ex As Exception
    End Try


    Try
        Dim auth_param_name = "AUTHID"
        Dim auth_cookie_name = FormsAuthentication.FormsCookieName

        If Not HttpContext.Current.Request.Form(auth_param_name) Is Nothing Then
            UpdateCookie(auth_cookie_name, HttpContext.Current.Request.Form(auth_param_name))
        ElseIf Not HttpContext.Current.Request.QueryString(auth_param_name) Is Nothing Then
            UpdateCookie(auth_cookie_name, HttpContext.Current.Request.QueryString(auth_param_name))
        End If
    catch ex As Exception
    End Try
End Sub

Private Sub UpdateCookie(ByVal cookie_name As String, ByVal cookie_value As String)
    Dim cookie = HttpContext.Current.Request.Cookies.Get(cookie_name)
    If cookie Is Nothing Then
        cookie = New HttpCookie(cookie_name)
    End If
    cookie.Value = cookie_value
    HttpContext.Current.Request.Cookies.Set(cookie)
End Sub

Here's the part for the javascript variable assignment:

var auth = "<%=IIf(Request.Cookies(FormsAuthentication.FormsCookieName) Is Nothing, "", Request.Cookies(FormsAuthentication.FormsCookieName).Value)%>";
var ASPSESSID = "<%=Session.SessionID%>";

Maybe someone working in VB can benefit from that.

Talton answered 29/3, 2010 at 22:7 Comment(0)

For VB converted code *start the code block with <%# instead of <%=

i.e.

var auth='<%# IIf(Request.Cookies(FormsAuthentication.FormsCookieName) Is Nothing, "", 
     Request.Cookies(FormsAuthentication.FormsCookieName).Value)%>';

var ASPSESSID = '<%# Session.SessionID%>';

Juggle answered 24/1, 2013 at 11:34 Comment(0)

Recommended topics

Hot tags