One of the issues with using a Flash uploader controlled by Javascript (e.g. SWFUpload) is that Flash starts its own session when executing the upload script. This means that if the upload script authenticates the user, it will fail.
One way around this is to pass a PHPSESSID as a post parameter to the script. This isn't a perfect solution, however, since many hosting providers have the PHP setting "session_use_only_cookies" turned on, preventing session IDs from being accepted from the request.
It's obviously a major concern at times that you don't want anonymous users executing your upload script, passing it god-knows-what from god-knows-where.
I'm wondering if anyone has any alternative ideas for authenticating users other than sessions and cookies. Would it be possible to validate that the Flash request came from the expected source and that a valid user initiated the request. Using some kind of token other than PHPSESSID, perhaps, how could this work, if at all?