Geeks With Blogs

@apopovsky
  • apopovsky @infobiker parece que sacaron mal los promedios, la vuelta era de 25.3km. no de 29 como estaba previsto. about 560 days ago
  • apopovsky RT “@ChaseMit: Just want to point out the NRA's plan to stop school shootings is literally the plot of Kindergarten Cop.”" about 639 days ago
  • apopovsky Aparte del paro del subte ahora tenemos lluvia por tiempo indeterminado about 767 days ago
  • apopovsky Hoy en bici a la oficina, me ahorre 15 minutos. Vamos a ver que tal la vuelta. Me sumé al mejor en bici. about 795 days ago

News Locations of visitors to this page
Ariel Popovsky's Blog Aventuras y desventuras con .net

I was integrating a JQuery plugin for file uploads, uploadify, in my app when I saw a very strange behavior. The plugin reported an error transmitting the file to the server and debugging the controller code I noticed the target action wasn’t being called at all. Debugging the client code I found out that the server was redirecting the upload to the login page. The Controller was marked with the AuthorizeAttribute but the user was already authenticated. After a google search I found this article explaining the problem and a workaround that didn’t work for me.

One easy solution was to remove the Authorize attribute from that action but that would open a big security hole, allowing anybody to upload files to the server. I finally implemented a manual authentication that seems to work fine.

In the client I extract the value from the forms authentication cookie and send it with my file as data:

 

  1:     var auth = "<% = Request.Cookies[FormsAuthentication.FormsCookieName]==null ? string.Empty : Request.Cookies[FormsAuthentication.FormsCookieName].Value %>";   
  2: 
  3:     //File upload
  4:     $('#photoUpload').fileUpload({
  5:         uploader: '/Content/uploader.swf',
  6:         script: '/Files/UploadPicture',
  7:         scriptData: { token: auth },
  8:         cancelImg: '/Content/images/cancel.png',
  9:         auto: true,
 10:         folder: '/uploads',
 11:         fileDesc: 'Image',
 12:         fileExt: '*.jpg;*.jpeg;*.png;*.gif'
 13:     });
 14: 

I think this technique could be easily applied to SWFUpload as well.

The server receives the security token so I needed to authenticate it. This action does the trick:

  1:         public ActionResult UploadPicture(string token, HttpPostedFileBase fileData)
  2:         {
  3:             FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(token);
  4:             if(ticket!=null)
  5:             {
  6:                 var identity = new FormsIdentity(ticket);
  7:                 if(identity.IsAuthenticated)
  8:                 {
  9:                     /*************************************
 10:                      * 
 11:                      *          HANDLE FILE
 12:                      * 
 13:                      * ***********************************/
 14:                     return Content("OK");
 15:                 }
 16:             }
 17:             throw new InvalidOperationException("The user is not authenticated.");
 18:             
 19:         }
 20: 

 

I think I’ll move the authentication to an action filter to keep the action code cleaner but this works fine for now.

Posted on Wednesday, May 6, 2009 11:44 PM ASP.net MVC | Back to top


Comments on this post: Working around Flash Cookie Bug in ASP.net MVC

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
I think that is the fastest and most precise answer I have ever found for a problem with google. I had just found this exact issue with uploadify not 10 minutes ago and assumed it was an issue with flash authentication.. and here I find the exact solution 3rd from the top on my search .. query was "flash mvc authenticate".

You are a champion. Thanks!
Left by misteraidan on May 22, 2009 2:12 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
Thank you too, I'm glad it helped someone.
Left by Ariel Popovsky on May 22, 2009 10:19 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
You are the man! The Developer!

For the past 4 hours I was going nuts with this bug. Thanks mate for this hack.
Left by Gopinath M on Jun 24, 2009 9:16 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
Hi Ariel,

Thank you very much for this info. I was beginning to worry that there would be no way to implement uploadify in a secure environment.

I have a couple questions:

1. Do you think this could be done the same way using Windows authentication?
2. Did you end up removing the Authorize attribute with the manual solution?

Thanks again,
Adam
Left by AdamA on Sep 21, 2009 3:28 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
I don't think you can implement this for windows authentication. This method is specific for FormsAuthentication.
I guess you can still set some kind of hidden unique token in the original form and check it on the controller later.
What about generating a Guid, storing it in your DB with the user identity and an expiration time and using it as a token. Then, on the target action you can retrieve the user data with the token.
I had to remove the authorize attribute and replace it with a custom one that implements the login logic.
Left by Ariel Popovsky on Sep 21, 2009 5:34 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
I will give that a try. Thanks for the quick response!

Adam
Left by AdamA on Sep 21, 2009 5:50 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
All the morning dealing with this bug!
Thanks!
Left by Eduardo on Oct 26, 2009 3:03 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
If anyone want to encourage Adobe to fix this bug, here are the bug-tracker links for this issue:

https://bugs.adobe.com/jira/browse/FP-1044
https://bugs.adobe.com/jira/browse/FP-419
https://bugs.adobe.com/jira/browse/FP-201
https://bugs.adobe.com/jira/browse/FP-78

Unfortunately you have to create an account to view the issues, but there they are anyway.
Left by Nick on Dec 03, 2009 9:26 PM

# Thank you!
Requesting Gravatar...
I never post on blogs but I had to tell you thank you for such an elegant solution to this problem. You saved me hours and lowered my blood pressure (and probably my cholesterol)

THANK YOU!
Left by Josh on Feb 04, 2010 3:48 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
hi,
what changes we need make it to work for windows authentication

Left by dotnetfreak on Feb 25, 2010 7:10 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
You are a beautiful man. I too want back all my hours wasted on this one.
Left by Ted Jardine on Mar 04, 2010 8:34 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
try this:

http://snipplr.com/view/15180/aspnet-working-around-flash-cookie-bug-aka-restoring-the-session--swfupload/
Left by Carlos Bellucci on Mar 15, 2010 11:09 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
Thanks a lot for the solution!

I did have a question, how secure is this method? If someone has this aspxauth string could they potentially use it login as another user?
Left by Bara on Mar 18, 2010 5:11 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
Awesome...my geek karma be upon thee.
Left by Chris Behrens on Mar 26, 2010 12:20 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
Cool! that's is the best solution!.... you know... i have working on that... a lot of time trying to find a solution... and you can summarize that just in some lines! jaja

really thanks
Left by Emmanuel on Apr 20, 2010 12:05 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
Wow... sweet solution... I spent a day for this and to find a solution.. this is the best method I ever saw in internet...
Left by ggeorge on Jul 03, 2010 2:19 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
5 points! Thanks!!! Thought a head to itself I will break ;)
как-то так ;)....
Left by Сергей on Jul 09, 2010 12:05 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
I know a lot of people get this on their search engine results when trying to figure out this bug. There is an additional problem to the approach you have mentioned. It can be solved easily by using the fix as mentioned here:

http://stackoverflow.com/questions/1729179/uploadify-session-and-authentication-with-asp-net-mvc
Left by Anup Marwadi on Aug 23, 2010 8:20 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
Great solution!

In my case, I had to do something extra in my web.config file, which was:

<location path="THE_PATH_OF_THE_SERVICE">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

Thanks a lot!

Left by RafaMiranda on Oct 27, 2010 11:36 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
var auth = "<% = Request.Cookies[FormsAuthentication.FormsCookieName]==null ? string.Empty : Request.Cookies[FormsAuthentication.FormsCookieName].Value %>";
$("#swfupload-control").swfupload({
upload_url: "/UploadPicture",
file_post_name: 'uploadMultifile',
file_size_limit: "1024",
file_types: "*.jpg;*.png;*.gif",
file_types_description: "Image files",
scriptData: { token: auth },
flash_url: "js/swfupload/swfupload.swf",
button_image_url: 'js/swfupload/wdp_buttons_upload_114x29.png',
});//controller methode// public ActionResult UploadPicture(string token, HttpPostedFileBase fileData)
{} i am using this code but it's not work in my application.also token is null.
Left by mayank.d on Nov 16, 2010 5:32 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
Wow thank you so much for this solution, it works like a charm!
Left by abri de jardin on Jan 06, 2011 11:45 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
Has anyone figured out how to implement this with Windows Authentication? Please email if you could provide any assistance.
Left by Zas Sid on Jan 26, 2011 12:11 PM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
i am using this code but it's not work in my application. token is null. and the fileData is also null.... please help
Left by dinesh on Jan 31, 2011 2:18 AM

# re: Working around Flash Cookie Bug in ASP.net MVC
Requesting Gravatar...
Nice solution! Thanks!
Left by raul on Apr 20, 2011 3:27 PM

Comments have been closed on this topic.
Copyright © Ariel Popovsky | Powered by: GeeksWithBlogs.net | Join free