Loosing current session info when using SWFUpload in IE6 & IE7

[eluser]Lone[/eluser]
I have gone into full testing mode for our newest app which of course involves playing around with everyones fave - IE6. I have just about given up sorting this one out - its a real killer!

Please note I am using the standard Session class for this.

What is happening is the user logs into the website and then goes to an 'add' page that is using SWFUpload to upload photos within. The instant SWFUpload is used in IE6 and IE7 any further page access by the user has them 'logged out' as the session ID has been changed.

When uploading via SWFUpload the SWF file uploads to a function in a controller - that function sees the SWF file as a different person as it has a different user agent. Problem is that somehow it also changes the logged in users session.

I have DB sessions enabled and this is the result in phpmyadmin after using SWFUpload:

Code:

57acbeffafdd502757ce2a119ed266aa      10.1.1.3      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;      1203509227
95d1b4a698fb2fe50ad0fad565bd8d0b     10.1.1.3     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;     1203509227
9c4cce73d3a443b707a6aa37c0e1ffd2     10.1.1.3     Shockwave Flash     1203509227
8c75e6172f6d218479d5d407b363723d     10.1.1.3     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;     1203509142

The last row is the original session and then there has been three others created!

Does anyone have any idea what is going on here? I tried turning off the sess_match_useragent setting which actually fixed the problem - but obviously leaves a big security flaw.

I can understand how the SWF file is treated as a different user but I don't get why the browser session has changed and only in IE6 & IE7 not firey. It looks like a cookie problem as far as I can see so far?

[eluser]Lone[/eluser]
Haha you just gota love it, if I make 'sess_match_useragent' = FALSE then IE6 is fine but IE7 isn't :O

At the end of the day this problem is that SWF files don't send the same header as the browser when using IE.

What I don't understand is why it affects the browser's session - Im guessing the cookie is overwritten by the SWF one?

Is there anyway really to reset the session library back to the old cookie/session_id like you can with native php sessions? SWFUpload allows POST params to be sent on its page request so I can easily set whatever I want it to send.

[eluser]Lone[/eluser]
Update

Well I have lost over 6 hours to solving this drama - planned to be completing a heap of other jobs tonight but this one got me good.

The only way to solve it was to pass a the session_id through SWFUpload to the upload controller function it calls. Then in that function I allowed a user to be relogged back in using my authentication script by adding a field in the user db rable that keeps the users last session_id.

Then based on that session_id I check its last_activity is within the correct expire time and the ip address is still the same in which case they are logged back in with the auth script.

Works for me - not the most pleasant way to achieve it but it seems to be the only as just about any cookie based session tracker is going to face a similar flaw with SWF files.

[eluser]Armorfist[/eluser]
The only thing i dislike about SWFUpload is the session handling. I think its a bug within flash. Quote from their documentation:

Cookies

In response to the Flash Cookie Bug the Cookies Plugin automatically retrieves your browser's cookies and sends them with the uploads. The are sent as POST or GET variables to the upload url.

I also used a system similar to yours, but its a bit fugly. I'll let you know if i get another solution, please do the same if you find one.