• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Using SWFUpload + Sessions + upload class, how I did it.

[quote author="defunct" date="1237881456"]can you post your entire MY_Session.php[/quote]

I attached the file.
Btw: I use cookie encryption;
$config['sess_encrypt_cookie']  = TRUE;

Using that updated session class I am having trouble getting CI to find the session data in $_POST. Logging the contents of $_POST I see that "ci_session" and that data was sent to the upload page from swfupload - but the session class isn't seeing that post key.

function sess_read()
         * Workaround for flash player cookie bug:
         * Check if the cookie-value was submitted via POST
        $session = $this->CI->input->post($this->sess_cookie_name);
        if($session === FALSE)
            $sess = empty($_POST[$this->sess_cookie_name]) ? NULL : $_POST[$this->sess_cookie_name];
            log_message('error', 'post was empty for '. $this->sess_cookie_name. ' = '. $sess);
            // Fetch the cookie
            $session = $this->CI->input->cookie($this->sess_cookie_name);


Duh. I had sess_match_useragent on in my config which meant that everything was working fine - but the fact that "Shockwave Flash" != "Mozilla/5.0 Windows" meant that sessions deleted the current data.

I have tried to integrate swfupload in CI but I am getting 302 error. What should be the problem behind this? Please help me. Thanks in advance.

302 error? It has been a while, but I think that is an error you get if you did not set up the mime types.

'jpeg'    =>    array('image/jpeg', 'image/pjpeg', 'application/octet-stream'),
'jpg'    =>    array('image/jpeg', 'image/pjpeg', 'application/octet-stream'),
'jpe'    =>    array('image/jpeg', 'image/pjpeg', 'application/octet-stream'),

yes that was a problem of mime types only. As soon as I have added application/octet-stream to it, it has been started working...

Hi guys, any update on this since the new session class was rolled into CI? The above doesnt seem to correlate anymore? I'm gonna have a crack at it now but wondered if anyone's modified the code...? (And put this all in MY_Session.php rather than hacking the core)?

Well, after a lot of bloody time thinking about it, I came up with the following for CI 1.7.1+

Dont hack Session.php, create a MY_Session.php so you're not touching the core.

Copy the sess_read() and _set_cookie() functions into it.

The first few lines look like this: (we're basically allowing the encrypted, serialized cookie data to be posted by the JS)

<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

class MY_Session extends CI_Session

    var $cookie_data = FALSE;
     * Fetch the current session data if it exists
     * @access    public
     * @return    bool
    function sess_read()
        // Fetch the cookie or post data
        $session = ($this->CI->input->post('cookie_data')) ? $this->CI->input->post('cookie_data') : $this->CI->input->cookie($this->sess_cookie_name);

Then, just before the setcookie() function in _set_cookie add:

$this->cookie_data = $cookie_data;

In your view set:

post_params: {"cookie_data": "<?=$this->session->cookie_data?>"},

Working for me, can't see any security issues with it but if anyone can see one let me know, peer review away Smile

not sure how well it all works with 1.7.
but in my original post, there is no hacking of the core session. But editing the Native PHP Sessions, which is installed to replace the codeigniter session. Since code igniter does not use native php session by default.
As far as I know, in order to use sessions with Swfupload (or any other flash uploader) you need to have native php sessions. As the http connection made by flash will come in as a different user agent than your browser, so without the php session, your session data will be dropped. Its like logging in to a site in firefox, and expecting yourself to be logged in with IE as well.

But with php sessions, you can use the php session id to connect to that particular session, even across browser, if you have the session id.

Hi Guys,

Just repeating this from a similar post I made some time ago.

The simple way to get flash uploaders working is to set...

$config['sess_match_useragent'] = FALSE;

in your config file.

The CI session manager is getting a different user-agent from the flash component (as mentioned above) and deleting the session.

If you're worried about doing this, faking a user-agent string is so easy that this method doesn't offer much in the way of security anyway.

Good luck.

I'm using database sessions with 1.7.1 and Uploadify (very similar to swfupload). Short of sending the entire contents of the cookie in the POST (as I've seen work for some people), is there no way to override the session to force it to use the proper session_id?

Right now, I'm getting a different session_id on the upload POST ($this->session->userdata('session_id')Wink than the one i'm sending in the sendData parameter.

I was hoping, similar to one of the earlier solutions, I could pass the session_id to the session library loader to have it use the appropriate session from the POST variable session_id.

Any ideas?

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.