How should I create cookie through flex/coldfusion that is readable by another template?

Question

Inside a flex app, I have a user login. The login calls a ColdFusion function as a remote object which authenticates the user and, if applicable, returns their id and access level. This works fine, but now I'm at the point where I want to also create a cookie for another ColdFusion template (called from fileReference.upload()) to be able to access later.

I have tried several different methods for creating the cookie -- cfcookie, creating a cookie with JavaScript inside the ColdFusion function, and creating the cookie with JavaScript with an external interface once the coldfusion function returns to the flex result handler. All of these have been tried with a plethora of options regarding expiration, path, and domain tags.

Any of these seems to work for cookie creation. Cookies show up in listings for my domain in Chrome as well as in a Firefox add-on 'View Cookies 1.9.2' that I've installed just for this purpose. Yet, still, none of these cookies seem to be readable by my upload.cfm when it is called later.

The upload.cfm, once called by a file upload request, sends the user id along with the file. From here, it should be a simple comparison between the id sent with the file and the id from the cookie. So far, the upload.cfm template has been unable to find the cookie (with any of the creation methods) looking at the obvious #cookie.name# or even #name#.

I'd appreciate any insight into why this is occurring, or perhaps an alternative method to the security I'm attempting to implement.

Thanks for reading,

-cs

Answer 1

Have you done most/all of your testing in a browser other than Internet Explorer?

Unfortunately, there is a bug in the Flash player [login required], which can be summarized as:

• (In browsers other than Internet Explorer) The flash player uses a different network stack than the browser, and therefore...
• Requests made by the flash player have a different server-side session than, for example, the request for the page that embeds the flash player.

This causes a situation whereby session variables set by the page are not (easily, by default) available to remote requests made by the flash player on the page.

CFID and CFTOKEN are set as cookies as well as stored in the session.urlToken variable. (JSessionId is included as well, if you're using Java session management).

I'm not positive, but I think this may be the root of your problem.

I believe that if you pass the CFID and CFTOKEN (and JSessionId) values to your Flex application as FlashVars, and then include them in the remote requests to the server, that the cookies you're setting will be available to later remote requests by flash (i.e. your upload).