How can I get Flash to share the browser cookies/session?

views:

1733

answers:

+2 Q:

How can I get Flash to share the browser cookies/session?

I'm building a PHP-based web app and am integrating a Flash-based charting engine. The Flash chart needs to make a AJAX request for its data. This request fails because it is seen as a new user agent and doesn't contain the PHP session cookie to identify it. So, it gets redirected to the login page.

I've read a few hacks to make this work, including supplying the session ID on the querystring, but that opens up security holes. How can I get Flash and PHP to share cookie-based session state automatically and stay secure?

Use ExternalInterface to talk to the Flex chart. Some browser related information can be passed around via the LoaderContext and BrowserManager classes as well. Dig in a bit into the AS3 documentation.

dirkgently 2009-03-02 15:14:52

+1 A:

If the session cookie is initiated early enough, then it should be OK. I've had a similar problem with cookies shared between JavaScript AJAX and Flash requests (if you want to call that AJAX too, go ahead :-) ), and we solved them by making sure the JavaSCript finished the request that initiated the cookie early enough so that when the Flash sent the request, the browser already had the session cookie.

Also making sure the cookie path was set to "/" was a good idea.

That being said, if you can't get it to work - as dirkgently said - you can store the information in the HTML DOM using a JavaScript AJAX call, and then fetch it from the Flash object using an ExternalInterface call. But do make sure to set at least "allowScriptAccess=sameDomain" on your Flash object

Guss 2009-03-02 20:24:03

+2 A:

In IE it will work naively. In firefox, the only way to achieve this is to POST the session id into the flash script (the php processor that is), and have it restore the session from that.

Yegor 2009-03-04 20:53:52

How exactly are you POSTing the id? I imagine you can include it in the object/embed parameters, but it would be send back as a GET, not POST.

spoulson 2009-03-18 13:46:52

you can try and send to php 2 parameters one session_id and a second one that is an key that combines some information from the client ( ex ip ) and encrypt it with a key stored on the server and on the request from flash you check to see the second paramaters matches the client request, this way if somebody trys to do a session stealing they cant because they will not match the second param

solomongaby 2009-03-05 22:24:54

+1 A:

You should be aware that transmitting a session ID in a Cookie: header, or in the argument field of the GET HTTP directive is of no different security.

Jotham 2009-03-18 06:43:41

With the exception that if you transmit it in the query line, it might be visible in browser history and web server logs (which might be arbitrary third-party proxies on the way). It might also end up in entirely unrelated sites via the `Referer` header.

Hanno Fietz 2010-01-29 11:04:11

If this is desired behavior the software should be written so this is not a valid concern. This is just poor engineering.

Jotham 2010-02-01 05:46:56

ansaurus

tags:

views:

answers:

How can I get Flash to share the browser cookies/session?

related questions