I ran into a very difficult issue trying to get upload files using FileReference and URLRequest. File upload was working fine in Internet Explorer, but nothing would work in Firefox. I tried tracing out the request using LiveHTTPHeaders for Firefox, but I couldn’t even see any of the request data. With some help from my co-worker we determined that Firefox was not sending the session with the file upload and was producing a login error. On IE the session cookie is picked up and the upload request uses the authenticated session, no login error.
Firefox apparently uses another instance of the browser window to dispatch the uploaded file, this window does not have the session. I searched for some possible answer and it seems you need to ask the correction combination of questions to find the solution. The Flex documentation seems to hint at part of the issue, but nothing direct enough.
The FileReference and FileReferenceList classes also do not provide methods for authentication. With servers that require authentication, you can download files with the Flash® Player browser plug-in, but uploading (on all players) and downloading (on the stand-alone or external player) fails. Listen for FileReference events to determine whether operations complete successfully and to handle errors.
So we know that authentication is not being passed along, so what can we do about it. Searching for information related to URLRequest and sessionid revealed a good Flexcoders post on the same issue. You need to add the session to the URLRequest (in our case we added the jsessionid for TomCat):
This was a bugger of a problem to solve and not an easy one to track down. Our first reaction to the problem was that it was the JSP page or missing form data within Flex. Then of course people start point figures at Flex in general as not having the ability to do simple form posts or upload. It only appears if you are handling authentication when you upload files to the server. I have read several post about the issue with uploading files with IE that work, but that fall down with other browsers. Unfortunately, the information is not covered well by Flex documentation. Thank goodness for Flexcoders, they have saved me a lot of grief. However, not knowing this was a problem with authentication, I spent a lot of valuable time wrestling with the issue.
58 Comments
Looking at Perlin’s comment’s but perlexed:
That method produces:
ArgumentError: Error #2096: The HTTP request header Cookie cannot be set via ActionScript.
at flash.net::URLStream/load()
at flash.net::URLLoader/load()
Compiling using Flex Builder 3.
Why?
Have done some research and found that not allowing this is secruity feature in newer flash players:
From.. : http://www.securiteam.com/securityreviews/5KP0M1FJ5E.html
In Flash 9, the techniques described above (for the LoadVars class) do not work for any browser-provided header (e.g. User-Agent, Host and Referer), nor probably for many “protected” headers such as Content-Length. Still, headers like Expect can be sent, so some attacks (e.g. Example 1 above) are still effective with Flash 9.
So how did he get it to work?
Yep, found that out too a bit later on. My project was for a closed LAN and it worked perfectly (I’m guessing Flash player assumes local IPs are “trusted” or some such). I’ve been trying to fool it into thinking any IP is trusted but no luck. My only other guess would be to develop some sort of “proxy” script using the session-id-on-url trick that then hands the data over to the ’s authentication and uploading system.
In the system I used (JAWS CMS) it gets the session ID exclusively from the cookie, so the GET trick won’t work, ergo a proxy script is the best bet.
Best of luck!
In Flash 9, the techniques described above (for the LoadVars class) do not work for any browser-provided header (e.g. User-Agent, Host and Referer), nor probably for many “protected” headers such as Content-Length. Still, headers like Expect can be sent, so some attacks (e.g. Example 1 above) are still effective with Flash 9.
Great !
same problem has also Flash 10 + FF + MP3, request.url = urlVar+”?rand=”+Math.random();
Thank you!