Ariel Popovsky's Blog

Aventuras y desventuras con .net
posts - 9, comments - 144, trackbacks - 0

My Links

News

Locations of visitors to this page

Twitter












Tag Cloud

Archives

Post Categories

My Sites
<< Creando un Validador Personalizado para NHibernate Validator | Home | Using Flash with ASP.NET MVC and Authentication (re-loaded) >>

Working around Flash Cookie Bug in ASP.net MVC

I was integrating a JQuery plugin for file uploads, uploadify, in my app when I saw a very strange behavior. The plugin reported an error transmitting the file to the server and debugging the controller code I noticed the target action wasn’t being called at all. Debugging the client code I found out that the server was redirecting the upload to the login page. The Controller was marked with the AuthorizeAttribute but the user was already authenticated. After a google search I found this article explaining the problem and a workaround that didn’t work for me.

One easy solution was to remove the Authorize attribute from that action but that would open a big security hole, allowing anybody to upload files to the server. I finally implemented a manual authentication that seems to work fine.

In the client I extract the value from the forms authentication cookie and send it with my file as data:

 

  1:     var auth = "<% = Request.Cookies[FormsAuthentication.FormsCookieName]==null ? string.Empty : Request.Cookies[FormsAuthentication.FormsCookieName].Value %>";   

  2: 

  3:     //File upload

  4:     $('#photoUpload').fileUpload({

  5:         uploader: '/Content/uploader.swf',

  6:         script: '/Files/UploadPicture',

  7:         scriptData: { token: auth },

  8:         cancelImg: '/Content/images/cancel.png',

  9:         auto: true,

 10:         folder: '/uploads',

 11:         fileDesc: 'Image',

 12:         fileExt: '*.jpg;*.jpeg;*.png;*.gif'

 13:     });

 14:

I think this technique could be easily applied to SWFUpload as well.

The server receives the security token so I needed to authenticate it. This action does the trick:

  1:         public ActionResult UploadPicture(string token, HttpPostedFileBase fileData)

  2:         {

  3:             FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(token);

  4:             if(ticket!=null)

  5:             {

  6:                 var identity = new FormsIdentity(ticket);

  7:                 if(identity.IsAuthenticated)

  8:                 {

  9:                     /*************************************

 10:                      * 

 11:                      *          HANDLE FILE

 12:                      * 

 13:                      * ***********************************/

 14:                     return Content("OK");

 15:                 }

 16:             }

 17:             throw new InvalidOperationException("The user is not authenticated.");

 18:             

 19:         }

 20:

 

I think I’ll move the authentication to an action filter to keep the action code cleaner but this works fine for now.

  • Share This Post:
  • Share on Twitter
  • Share on Facebook
  • Share on Technorati

Print | posted on Wednesday, May 06, 2009 11:44 PM | Filed Under [ ASP.net MVC ]

Feedback

Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

I think that is the fastest and most precise answer I have ever found for a problem with google. I had just found this exact issue with uploadify not 10 minutes ago and assumed it was an issue with flash authentication.. and here I find the exact solution 3rd from the top on my search .. query was "flash mvc authenticate".

You are a champion. Thanks!
5/22/2009 2:12 AM | misteraidan
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Thank you too, I'm glad it helped someone.
5/22/2009 10:19 AM | Ariel Popovsky
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

You are the man! The Developer!

For the past 4 hours I was going nuts with this bug. Thanks mate for this hack.
6/24/2009 9:16 AM | Gopinath M
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Hi Ariel,

Thank you very much for this info. I was beginning to worry that there would be no way to implement uploadify in a secure environment.

I have a couple questions:

1. Do you think this could be done the same way using Windows authentication?
2. Did you end up removing the Authorize attribute with the manual solution?

Thanks again,
Adam
9/21/2009 3:28 PM | AdamA
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

I don't think you can implement this for windows authentication. This method is specific for FormsAuthentication.
I guess you can still set some kind of hidden unique token in the original form and check it on the controller later.
What about generating a Guid, storing it in your DB with the user identity and an expiration time and using it as a token. Then, on the target action you can retrieve the user data with the token.
I had to remove the authorize attribute and replace it with a custom one that implements the login logic.
9/21/2009 5:34 PM | Ariel Popovsky
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

I will give that a try. Thanks for the quick response!

Adam
9/21/2009 5:50 PM | AdamA
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

All the morning dealing with this bug!
Thanks!
10/26/2009 3:03 PM | Eduardo
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

If anyone want to encourage Adobe to fix this bug, here are the bug-tracker links for this issue:

https://bugs.adobe.com/jira/browse/FP-1044
https://bugs.adobe.com/jira/browse/FP-419
https://bugs.adobe.com/jira/browse/FP-201
https://bugs.adobe.com/jira/browse/FP-78

Unfortunately you have to create an account to view the issues, but there they are anyway.
12/3/2009 9:26 PM | Nick
Gravatar

# Thank you!

I never post on blogs but I had to tell you thank you for such an elegant solution to this problem. You saved me hours and lowered my blood pressure (and probably my cholesterol)

THANK YOU!
2/4/2010 3:48 AM | Josh
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

hi,
what changes we need make it to work for windows authentication

2/25/2010 7:10 AM | dotnetfreak
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

You are a beautiful man. I too want back all my hours wasted on this one.
3/4/2010 8:34 PM | Ted Jardine
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

try this:

http://snipplr.com/view/15180/aspnet-working-around-flash-cookie-bug-aka-restoring-the-session--swfupload/
3/15/2010 11:09 PM | Carlos Bellucci
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Thanks a lot for the solution!

I did have a question, how secure is this method? If someone has this aspxauth string could they potentially use it login as another user?
3/18/2010 5:11 PM | Bara
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Awesome...my geek karma be upon thee.
3/26/2010 12:20 AM | Chris Behrens
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Cool! that's is the best solution!.... you know... i have working on that... a lot of time trying to find a solution... and you can summarize that just in some lines! jaja

really thanks
4/20/2010 12:05 AM | Emmanuel
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Wow... sweet solution... I spent a day for this and to find a solution.. this is the best method I ever saw in internet...
7/3/2010 2:19 AM | ggeorge
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

5 points! Thanks!!! Thought a head to itself I will break ;)
как-то так ;)....
7/9/2010 12:05 PM | Сергей
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

I know a lot of people get this on their search engine results when trying to figure out this bug. There is an additional problem to the approach you have mentioned. It can be solved easily by using the fix as mentioned here:

http://stackoverflow.com/questions/1729179/uploadify-session-and-authentication-with-asp-net-mvc
8/23/2010 8:20 PM | Anup Marwadi
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Great solution!

In my case, I had to do something extra in my web.config file, which was:

<location path="THE_PATH_OF_THE_SERVICE">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

Thanks a lot!

10/27/2010 11:36 AM | RafaMiranda
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

var auth = "<% = Request.Cookies[FormsAuthentication.FormsCookieName]==null ? string.Empty : Request.Cookies[FormsAuthentication.FormsCookieName].Value %>";
$("#swfupload-control").swfupload({
upload_url: "/UploadPicture",
file_post_name: 'uploadMultifile',
file_size_limit: "1024",
file_types: "*.jpg;*.png;*.gif",
file_types_description: "Image files",
scriptData: { token: auth },
flash_url: "js/swfupload/swfupload.swf",
button_image_url: 'js/swfupload/wdp_buttons_upload_114x29.png',
});//controller methode// public ActionResult UploadPicture(string token, HttpPostedFileBase fileData)
{} i am using this code but it's not work in my application.also token is null.
11/16/2010 5:32 AM | mayank.d
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Wow thank you so much for this solution, it works like a charm!
1/6/2011 11:45 PM | abri de jardin
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Has anyone figured out how to implement this with Windows Authentication? Please email if you could provide any assistance.
1/26/2011 12:11 PM | Zas Sid
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

i am using this code but it's not work in my application. token is null. and the fileData is also null.... please help
1/31/2011 2:18 AM | dinesh
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Nice solution! Thanks!
4/20/2011 3:27 PM | raul
Comments have been closed on this topic.

Powered by:

Copyright © Ariel Popovsky