Sessions and uploadify

Question

I'm using uploadify, and i can't set sessions in my php files, my script looks like this:

    $("#uploadify").uploadify({
        'uploader'       : '/extra/flash/uploadify.swf',
        'script'         : '/admin/uploads/artistsphotos',
        'scriptData'     : {'PHPSESSID' : '<?= session_id(); ?>'},
        'cancelImg'      : '/images/cancel.png',
        'folder'         : '/img/artists',
        'queueID'        : 'fileQueue',
        'auto'           : false,
        'multi'          : true,
        'onComplete'     : function(a, b, c, d, e){

        },  
        'onAllComplete': function(event,data){
         $bla = $('#art').find(':selected',this);
         $fi  = $bla.val();
    $.ajax({
      type: "POST",
      url: "/admin/uploads/artistsphotosupload",
      data: "artist="+$fi,
      success: function(msg){
        console.log(msg);
      }
    });
     }
});

And in php if i try:

$_SESSION['name'] = 'something';

I can't access it in another file.and i have session_start(); activated Any solutions?

Answer 1

Usually the session ID won't be read from POST. You could do this:

$_COOKIE['PHPSESSID'] = $_POST['PHPSESSID'];
session_start();

Answer 2

I'm currently having a similar problem with uploadify + PHP sessions.

Using error_log() I can monitor that when the uploadify flash app sends the file data up to the server, it passes the correct session_id to the upload script:

'scriptData' : { 'session_id' : session_id },

(session_id set earlier: var session_id = '';)

So, that lets me check that yes, the session id for my pages and the session id for the uploadify script are in fact the same.

But, when the script runs and I start the session by:

session_id($session_id); session_start();

Somehow ALL the session data is destroyed (I've also been setting session data into an array so I can refresh and watch the data grow with each request, then when I use uploadify, it's wiped).

I have no clue on how to debug this :/

edit: suhosin may be destroying the session:

http://www.uploadify.com/forum/viewtopic.php?f=7&t=2062

Answer 3

you cannot solve this because uploadify has own session ID which is created by flash player. In other words the flash player access the uploadify script as a new user and gets a new session. The only way you can solve this is to pass current page session_id through post to the uploadify script.

Answer 4

Hi, I found a solution which is far easier to implement, especially if you already have a session-oriented PHP backend for login, etc.:

just write the following code in the jQuery statement:

'script'    : '/upload.php?<?= session_name(); ?>=<?= session_id(); ?>',

which will magically attach your current session name and your session id.

Answer 5

This may work but from a security perspective is really bad practice. This would allow anyone with a valid sessionID to impersonate that session just by changing the sessionid. It would be better to do even a basic synchronous encryption of the sessionid with a secret key (known only to the backend code), and then decrypt it on the upload.php script.

Answer 6

This link gives a detailed solution for this problem...

http://www.uploadify.com/forum/viewtopic.php?f=5&t=43

Answer 7

Add this before your external .js file with the uploadify implementation.

<!-- Get sesssionId -->
 <script type="text/javascript" charset="utf-8">
  var sessionId = "<?php echo session_id(); ?>";
 </script>

Then add this to the uploadify script.

$('#uploadify').uploadifySettings('scriptData', {'sessionId': sessionId});

PHP upload script needs this.

// Start session
 session_id($_POST['sessionId']);
 session_start();

All done!