Ariel Popovsky's Blog

Aventuras y desventuras con .net

posts - 9, comments - 144, trackbacks - 0

My Links

News

Twitter

apopovsky La gente que se suscribe a la cuenta de Jazmin De Grazia que piensa? Que va a twitear desde el más allá? about 7 days ago

apopovsky Escuchando a Nito Mestre en vivo. Cuantos recuerdos. http://t.co/XBI0BM7k about 85 days ago

apopovsky @pablolewin mirá el focus americano lo que es: Ford Focus Electric: un Focus con conciencia ecológica http://t.co/32JT6JmI about 101 days ago

apopovsky Ví un arbolito en la calle con una estampita de Moreno. Santo patrono del #dolarblue about 102 days ago

apopovsky @Wertherland es así, re-make de Cosmos. Nuevo host, Neil Degrasse Tyson, un capo. about 122 days ago

apopovsky Still going after an hour. Fingers crossed ... http://t.co/d7B70Hio about 136 days ago

apopovsky This can't be good ... http://t.co/aRJVQVnB about 136 days ago

apopovsky Very proud to be working on the Leankit team http://t.co/iLy8UARJ about 148 days ago

apopovsky Por favor, que alguien invente un puerto para reemplazar al USB que se pueda enchufar algo sin tener que probar dándole vuelta 10 veces. about 158 days ago

apopovsky @AndreaYedvab bienvenida, pasá y ponete cómoda about 163 days ago

Post Categories

My Sites

My Company

Wednesday, May 06, 2009

Working around Flash Cookie Bug in ASP.net MVC

I was integrating a JQuery plugin for file uploads, uploadify, in my app when I saw a very strange behavior. The plugin reported an error transmitting the file to the server and debugging the controller code I noticed the target action wasn’t being called at all. Debugging the client code I found out that the server was redirecting the upload to the login page. The Controller was marked with the AuthorizeAttribute but the user was already authenticated. After a google search I found this article explaining the problem and a workaround that didn’t work for me.

One easy solution was to remove the Authorize attribute from that action but that would open a big security hole, allowing anybody to upload files to the server. I finally implemented a manual authentication that seems to work fine.

In the client I extract the value from the forms authentication cookie and send it with my file as data:

  1:     var auth = "<% = Request.Cookies[FormsAuthentication.FormsCookieName]==null ? string.Empty : Request.Cookies[FormsAuthentication.FormsCookieName].Value %>";   
  2: 
  3:     //File upload
  4:     $('#photoUpload').fileUpload({
  5:         uploader: '/Content/uploader.swf',
  6:         script: '/Files/UploadPicture',
  7:         scriptData: { token: auth },
  8:         cancelImg: '/Content/images/cancel.png',
  9:         auto: true,
 10:         folder: '/uploads',
 11:         fileDesc: 'Image',
 12:         fileExt: '*.jpg;*.jpeg;*.png;*.gif'
 13:     });
 14:

I think this technique could be easily applied to SWFUpload as well.

The server receives the security token so I needed to authenticate it. This action does the trick:

  1:         public ActionResult UploadPicture(string token, HttpPostedFileBase fileData)
  2:         {
  3:             FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(token);
  4:             if(ticket!=null)
  5:             {
  6:                 var identity = new FormsIdentity(ticket);
  7:                 if(identity.IsAuthenticated)
  8:                 {
  9:                     /*************************************
 10:                      * 
 11:                      *          HANDLE FILE
 12:                      * 
 13:                      * ***********************************/
 14:                     return Content("OK");
 15:                 }
 16:             }
 17:             throw new InvalidOperationException("The user is not authenticated.");
 18:             
 19:         }
 20: