Ask a Jedi: Flash, ColdFusion and FIle Uploads

Asa asks an interesting question. I wasn't going to answer as Flash isn't my area really, but I had an idea and I figured I'd suggest it. Please feel free to correct me if this is dumb. Anyway, here is the question:

I'm trying to make a file unloader using Flash & ColdFusion. I have a flash file embedded on a page that let's the user select a file, which is then posted to a ColdFusion page for upload. The problem is that the Flash player doesn't post cookies on file uploads, so the ColdFusion page that's getting posted to is under a new session. Is there a way to append the cfid to the url and have ColdFusion use that session instead of making a new one?

So I was a bit surprised by this. I can't imagine why Flash would not do a 'normal' request and pass along the cookies. That being said - I think I know a way to do this. When you generate your HTML code to embed the Flash SWF, you can pass along the session.urltoken value via flash vars. The Flash app could read this and use it when it does its POST.

Right?

Any Flash users out there want to chime in? (I'm sure I must have at least one Flash guy reading the blog. He probably sits next to the one Photoshop guy reading my blog. ;)

Comments (11) Apr 10, 2008 2:30 PM Views: 2053

Comments

[Add Comment]
Thanks Ray. The research I've done talks about how this is a problem with FireFox and Safari. Apparently IE works fine. The solution everyone suggests is to pass the session ID to the flash file and then append it to the URL. All the examples are using PHP though. So if my post URL is upload.cfm?cfid=1234 then how do I make CF use that session?

Here are some more blogs talking about the issue
http://www.visible-form.com/blog/flash-file-upload...
http://robrosenbaum.com/flash/using-flash-upload-w...
# Posted By Asa | 4/10/08 2:52 PM
I discussed about this here before, it works in IE, but Safari or Firefox wont store the session on the request, my work around was to disable security for that specific .cfm upload file (havent seen another solution yet)

My file was site was protected via CFLOGIN, so I did this on the onRequestStart


<!--- Upload with Safari or Firefox? BUG --->
<cfif CGI.SCRIPT_NAME CONTAINS "admin/galerias/fotos/upload.cfm">

Then I skip the validation.
# Posted By Raul Riera | 4/10/08 2:52 PM
@Asa: CF supports receiving session info via the url. If you make a link like so:

a href="foo.cfm?#session.urltoken#"

This will append everything CF needs. So if you pass the value to Flash, and Flash does a post to

foo.cfm?INSERT THE VAR HERE IN ACTION SCRIPT

Then it should work just fine. You don't have to make CF work with it - it should "just work".

@Raul: Wow, I got to say though - I think thats a bad idea. It would let anyone upload files.
# Posted By Raymond Camden | 4/10/08 3:00 PM
I dont know how the security system works so I think I am wrong with this, but wont it be the same for the user to know the upload.cfm address with or without the session id? (in order to upload something with unrestricted access?)

Everyone can easily hit view source and see the var passed in to the swf via flashVars
# Posted By Raul Riera | 4/10/08 3:05 PM
You can call a CFC from within CFFile to retrieve session information, if I recall correctly.
# Posted By David Buhler | 4/10/08 3:07 PM
Thanks Ray!

Passing #session.urltoken# to the flash file and then appending it to the upload URL works great!
# Posted By asa | 4/10/08 4:36 PM
@David: Huh? :P
# Posted By Todd Rafferty | 4/11/08 2:54 PM
Asa,

Im curious how you got that to work, its not working for me doing. Did you added the token to the upload method of actionscript or did you sent the token through the data property in the URLRequest class?
# Posted By Raul Riera | 4/13/08 5:31 PM
@The WebRat

I swear that's how I think i did it! I think. ;)

**all my advice comes without warranty and is given with only vague recollections of what once worked.
# Posted By David Buhler | 4/14/08 12:21 PM
If the upload directory has its own Application.cfc...

Would it be possible to use the onRequestEnd method in the application CFC, to add a user's Session ID to the database table?

I envision doing a look-up of the last ID in the DB onRequestEnd.

Thoughts?
# Posted By David Buhler | 4/15/08 11:13 AM
@ Raul

I passed the upload path to the SWF as a variable:

file.swf?path=#URLEncodedFormat('UploadImage.cfm?#session.urltoken#')#

you need the URLEncodedFormat around it because session.urltoken is actually 2 url variables.
# Posted By Asa | 4/15/08 1:03 PM
[Add Comment]