Close this search box.

Working around Flash Cookie Bug in MVC

I was integrating a JQuery plugin for file uploads, uploadify, in my app when I saw a very strange behavior. The plugin reported an error transmitting the file to the server and debugging the controller code I noticed the target action wasn’t being called at all. Debugging the client code I found out that the server was redirecting the upload to the login page. The Controller was marked with the AuthorizeAttribute but the user was already authenticated. After a google search I found this article explaining the problem and a workaround that didn’t work for me.

One easy solution was to remove the Authorize attribute from that action but that would open a big security hole, allowing anybody to upload files to the server. I finally implemented a manual authentication that seems to work fine.

In the client I extract the value from the forms authentication cookie and send it with my file as data:

var auth =
    "<% = Request.Cookies[FormsAuthentication.FormsCookieName]==null ? string.Empty : Request.Cookies[FormsAuthentication.FormsCookieName].Value %>";
  :     //File upload
  :     $('#photoUpload').fileUpload({
  :         uploader: '/Content/uploader.swf',
  :         script: '/Files/UploadPicture',
  :         scriptData: { token: auth },
  :         cancelImg: '/Content/images/cancel.png',
  :         auto: true,
 :         folder: '/uploads',
 :         fileDesc: 'Image',
 :         fileExt: '*.jpg;*.jpeg;*.png;*.gif'
 :     });

I think this technique could be easily applied to SWFUpload as well.

The server receives the security token so I needed to authenticate it. This action does the trick:

public ActionResult UploadPicture(string token, HttpPostedFileBase fileData) : {
  :             FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(token);
  :             if(ticket!=null)
  :             {
  :                 var identity = new FormsIdentity(ticket);
  :                 if(identity.IsAuthenticated)
  :                 {
  :                     /*************************************
 :                      * 
 :                      *          HANDLE FILE
 :                      * 
 :                      * ***********************************/
 :                     return Content("OK");
 :             throw new InvalidOperationException("The user is not authenticated.");

I think I’ll move the authentication to an action filter to keep the action code cleaner but this works fine for now.

Technorati Tags: MVC,,Uploadify,JQuery,SWFupload

Print | posted on Wednesday, May 06, 2009 11:44 PM | Filed Under [ MVC ]

This article is part of the GWB Archives. Original Author: Ariel Popovsky’s Blog

Related Posts