Uploadify (Session and authentication) with ASP.NET MVC

Question

When I use Authorize filter on an action or a controller used by uplodify (http://www.uploadify.com/) the action isn't reach...

moreover Session are not retrieved.

I found this to retrieved user session :

http://geekswithblogs.net/apopovsky/archive/2009/05/06/working-around-flash-cookie-bug-in-asp.net-mvc.aspx

But how to use it with [Authorize] filter and retrieved session ?

This site is for questions and answers. Its fine to answer your own question or put knowledge-base type articles here, but phrase them in the form of a question and then respond to them with your solution in the answer. — David Pfeffer, Nov 13 '09 at 13:27
You can't use AuthorizeAttribute and Session state in MVC? Are you sure about that? — UpTheCreek, Nov 13 '09 at 13:38

Dragouf · Accepted Answer · 2013-08-21T13:18:44.837

62

To correct this I propose you a solution... Send the auth cookie value and session id cookie value with uploadify and recreate it before session is retrieved.

here is the code to implent in the view :

<script>
    var auth = "<% = Request.Cookies[FormsAuthentication.FormsCookieName]==null ? string.Empty : Request.Cookies[FormsAuthentication.FormsCookieName].Value %>";
    var ASPSESSID = "<%= Session.SessionID %>";

    $("#uploadifyLogo").uploadify({
        ...
        formData: { ASPSESSID: ASPSESSID, AUTHID: auth }
    });

And then in Global.asax :

protected void Application_BeginRequest(object sender, EventArgs e)
    {
      /* we guess at this point session is not already retrieved by application so we recreate cookie with the session id... */
        try
        {
            string session_param_name = "ASPSESSID";
            string session_cookie_name = "ASP.NET_SessionId";

            if (HttpContext.Current.Request.Form[session_param_name] != null)
            {
                UpdateCookie(session_cookie_name, HttpContext.Current.Request.Form[session_param_name]);
            }
            else if (HttpContext.Current.Request.QueryString[session_param_name] != null)
            {
                UpdateCookie(session_cookie_name, HttpContext.Current.Request.QueryString[session_param_name]);
            }
        }
        catch
        {
        }

        try
        {
            string auth_param_name = "AUTHID";
            string auth_cookie_name = FormsAuthentication.FormsCookieName;

            if (HttpContext.Current.Request.Form[auth_param_name] != null)
            {
                UpdateCookie(auth_cookie_name, HttpContext.Current.Request.Form[auth_param_name]);
            }
            else if (HttpContext.Current.Request.QueryString[auth_param_name] != null)
            {
                UpdateCookie(auth_cookie_name, HttpContext.Current.Request.QueryString[auth_param_name]);
            }

        }
        catch
        {
        }
    }

    private void UpdateCookie(string cookie_name, string cookie_value)
    {
        HttpCookie cookie = HttpContext.Current.Request.Cookies.Get(cookie_name);
        if (null == cookie)
        {
            cookie = new HttpCookie(cookie_name);
        }
        cookie.Value = cookie_value;
        HttpContext.Current.Request.Cookies.Set(cookie);
    }

And voila, with that method it's totally transparent.

hope it help some!! ;)

EDITED : use formData instead of scriptData

edited Aug 21 '13 at 13:18

answered Nov 13 '09 at 14:19

Dragouf

4,676
4
48
55

Thanks, this fixed the problem I was having with retreiving session data in firefox. – Charlie Dec 30 '09 at 13:59
2

Indeed, this is extremely helpful: I thank you for it. I was figuring the problem must involve the way Flash retrieves session cookies (if at all), but I just didn't have visibility to what the heck was going on and until I saw this I never realized you could actually update the incoming cookie in this manner. You're a gorram hero, thanks. =) – EdgarVerona Jun 04 '10 at 15:08
2

Putting your sessionId in your script is a bad idea, as it makes it vulnerable to session hijacking (unless your serving your script over SSL). – Alex KeySmith Feb 08 '11 at 14:47
@Alex - Having a session without SSL connection to server is vulnerable to session hijacking no matter what. If a theoretical hijacker is looking at your unencrypted page text, with script, with sessionId, they could just as easily look at the cookies you transmit to the server with the sessionId to maintain that session in the first place. – Adam Nofsinger Feb 18 '11 at 01:17
2

@Adam Nofsinger - this is true, but no need to open yourself up more. With cookies you can set them to HTTPOnly (not full proof I know), but with script your opening your self to malicious js. Here is a similar response - that doesn't require the session ID to be in your js. http://stackoverflow.com/questions/4538174/uploadify-ashx-file-context-session-gets-null-in-mozilla/4538433#4538433 Sorry I don't mean to be picky, yours is a great answer (helped me out), but I've done a bit of security research recently and it caught my attention. – Alex KeySmith Feb 22 '11 at 08:59
2

+1000 for really helping me out. -999 for having *two* empty `catch` clauses. hurts my eyes... – J. Ed Sep 11 '11 at 08:53
See even more complete solution here. Hurrah! http://zootfroot.blogspot.com/2010/12/mvc-file-upload-using-uploadify-with.html – Daniel Gill Dec 09 '11 at 20:38
That helped, thanks. If you want to encourage Adobe to fix this bug, here's a bug tracker link for this issue: https://bugs.adobe.com/jira/browse/FP-1044 – Nick Knowlson Jan 10 '12 at 19:11
If you've implemented this solution and Session.SessionID is *still* not being overridden by the POSTed value, try implementing a custom SessionIDManager. It worked for me. http://blogs.microsoft.co.il/blogs/dorony/archive/2008/02/15/overcoming-ie-bug-with-a-custom-sessionidmanager.aspx – David Grant Mar 19 '12 at 23:41
6

formData instead of scriptData for newer versions of Uploadify – Jeff Borden Aug 15 '12 at 16:24
i have a wierd issue, i have tried all the above options but i still not able to update cookie on server, but on my developer machine it is working fine. Anybody faced this kind of issue ?? and [my developer machine is just a replica of my server machine, so no config difference] – FosterZ Feb 22 '13 at 16:03
It's worth pointing out @JeffBorden 's answer re: using formData instead of scriptData, because otherwise you'll wonder why nothing's working if you're using the latest version of Uploadify! – Karl Aug 20 '13 at 15:21
I am just updating an older site to use ASP.NET Identity and found similar code in the Global.asax.cs to handle sessions with flash... how would this code change to support asp.net identity authentication rather than forms? – Mark Redman Aug 28 '15 at 08:22

score 5 · Answer 2 · edited Nov 28 '12 at 06:45

This solution works great. I translated the code to vb if anyone wants it:

    Protected Sub Application_BeginRequest(ByVal sender As Object, ByVal e As System.EventArgs)
    'we guess at this point session is not already retrieved by application so we recreate cookie with the session id...
    Try
        Dim session_param_name = "ASPSESSID"
        Dim session_cookie_name = "ASP.NET_SessionId"

        If Not HttpContext.Current.Request.Form(session_param_name) Is Nothing Then
            UpdateCookie(session_cookie_name, HttpContext.Current.Request.Form(session_param_name))
        ElseIf Not HttpContext.Current.Request.QueryString(session_param_name) Is Nothing Then
            UpdateCookie(session_cookie_name, HttpContext.Current.Request.QueryString(session_param_name))
        End If
    Catch ex As Exception
    End Try


    Try
        Dim auth_param_name = "AUTHID"
        Dim auth_cookie_name = FormsAuthentication.FormsCookieName

        If Not HttpContext.Current.Request.Form(auth_param_name) Is Nothing Then
            UpdateCookie(auth_cookie_name, HttpContext.Current.Request.Form(auth_param_name))
        ElseIf Not HttpContext.Current.Request.QueryString(auth_param_name) Is Nothing Then
            UpdateCookie(auth_cookie_name, HttpContext.Current.Request.QueryString(auth_param_name))
        End If
    catch ex As Exception
    End Try
End Sub

Private Sub UpdateCookie(ByVal cookie_name As String, ByVal cookie_value As String)
    Dim cookie = HttpContext.Current.Request.Cookies.Get(cookie_name)
    If cookie Is Nothing Then
        cookie = New HttpCookie(cookie_name)
    End If
    cookie.Value = cookie_value
    HttpContext.Current.Request.Cookies.Set(cookie)
End Sub

Here's the part for the javascript variable assignment:

var auth = "<%=IIf(Request.Cookies(FormsAuthentication.FormsCookieName) Is Nothing, "", Request.Cookies(FormsAuthentication.FormsCookieName).Value)%>";
var ASPSESSID = "<%=Session.SessionID%>";

Maybe someone working in VB can benefit from that.

score 0 · Answer 3 · edited Jan 24 '13 at 11:51

0

For VB converted code *start the code block with <%# instead of <%=

i.e.

var auth='<%# IIf(Request.Cookies(FormsAuthentication.FormsCookieName) Is Nothing, "", 
     Request.Cookies(FormsAuthentication.FormsCookieName).Value)%>';

var ASPSESSID = '<%# Session.SessionID%>';

edited Jan 24 '13 at 11:51

kleopatra

51,061
28
99
211

answered Jan 24 '13 at 11:34

Somnath

1

Uploadify (Session and authentication) with ASP.NET MVC

3 Answers3

Linked