Ariel Popovsky's Blog

Aventuras y desventuras con .net
posts - 7, comments - 33, trackbacks - 0

My Links

News

Locations of visitors to this page

Twitter












Tag Cloud

Archives

Post Categories

My Sites
<< Creando un Validador Personalizado para NHibernate Validator | Home | Using Flash with ASP.NET MVC and Authentication (re-loaded) >>

Working around Flash Cookie Bug in ASP.net MVC

I was integrating a JQuery plugin for file uploads, uploadify, in my app when I saw a very strange behavior. The plugin reported an error transmitting the file to the server and debugging the controller code I noticed the target action wasn’t being called at all. Debugging the client code I found out that the server was redirecting the upload to the login page. The Controller was marked with the AuthorizeAttribute but the user was already authenticated. After a google search I found this article explaining the problem and a workaround that didn’t work for me.

One easy solution was to remove the Authorize attribute from that action but that would open a big security hole, allowing anybody to upload files to the server. I finally implemented a manual authentication that seems to work fine.

In the client I extract the value from the forms authentication cookie and send it with my file as data:

 

  1:     var auth = "<% = Request.Cookies[FormsAuthentication.FormsCookieName]==null ? string.Empty : Request.Cookies[FormsAuthentication.FormsCookieName].Value %>";   

  2: 

  3:     //File upload

  4:     $('#photoUpload').fileUpload({

  5:         uploader: '/Content/uploader.swf',

  6:         script: '/Files/UploadPicture',

  7:         scriptData: { token: auth },

  8:         cancelImg: '/Content/images/cancel.png',

  9:         auto: true,

 10:         folder: '/uploads',

 11:         fileDesc: 'Image',

 12:         fileExt: '*.jpg;*.jpeg;*.png;*.gif'

 13:     });

 14:

I think this technique could be easily applied to SWFUpload as well.

The server receives the security token so I needed to authenticate it. This action does the trick:

  1:         public ActionResult UploadPicture(string token, HttpPostedFileBase fileData)

  2:         {

  3:             FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(token);

  4:             if(ticket!=null)

  5:             {

  6:                 var identity = new FormsIdentity(ticket);

  7:                 if(identity.IsAuthenticated)

  8:                 {

  9:                     /*************************************

 10:                      * 

 11:                      *          HANDLE FILE

 12:                      * 

 13:                      * ***********************************/

 14:                     return Content("OK");

 15:                 }

 16:             }

 17:             throw new InvalidOperationException("The user is not authenticated.");

 18:             

 19:         }

 20:

 

I think I’ll move the authentication to an action filter to keep the action code cleaner but this works fine for now.

Print | posted on Wednesday, May 06, 2009 11:44 PM | Filed Under [ ASP.net MVC ]

Feedback

Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

I think that is the fastest and most precise answer I have ever found for a problem with google. I had just found this exact issue with uploadify not 10 minutes ago and assumed it was an issue with flash authentication.. and here I find the exact solution 3rd from the top on my search .. query was "flash mvc authenticate".

You are a champion. Thanks!
5/22/2009 2:12 AM | misteraidan
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Thank you too, I'm glad it helped someone.
5/22/2009 10:19 AM | Ariel Popovsky
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

You are the man! The Developer!

For the past 4 hours I was going nuts with this bug. Thanks mate for this hack.
6/24/2009 9:16 AM | Gopinath M
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

Hi Ariel,

Thank you very much for this info. I was beginning to worry that there would be no way to implement uploadify in a secure environment.

I have a couple questions:

1. Do you think this could be done the same way using Windows authentication?
2. Did you end up removing the Authorize attribute with the manual solution?

Thanks again,
Adam
9/21/2009 3:28 PM | AdamA
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

I don't think you can implement this for windows authentication. This method is specific for FormsAuthentication.
I guess you can still set some kind of hidden unique token in the original form and check it on the controller later.
What about generating a Guid, storing it in your DB with the user identity and an expiration time and using it as a token. Then, on the target action you can retrieve the user data with the token.
I had to remove the authorize attribute and replace it with a custom one that implements the login logic.
9/21/2009 5:34 PM | Ariel Popovsky
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

I will give that a try. Thanks for the quick response!

Adam
9/21/2009 5:50 PM | AdamA
Gravatar

# re: Working around Flash Cookie Bug in ASP.net MVC

All the morning dealing with this bug!
Thanks!
10/26/2009 3:03 PM | Eduardo
Post A Comment
Title:
Name:
Email:
Website:
Comment:
Verification:
 
 

Powered by:

Copyright © Ariel Popovsky