Flash Cookie Bug
I want to clarify what I have observed about the Flash Cookie bug.
The Flash Player Plugin for FireFox, Opera and Safari (and probably other non-IE based browsers) has a bug which sends persistent cookies from IE to the upload URL instead of the cookies from the browser. Session only cookies from IE are not sent.
When Flash initializes in the browser its own empty "cookie space" is created. It loads persistent cookies from IE (which you can see in %USERPROFILE%\cookies). In-memory (session) cookies are not loaded.
The cookies from the browser are not loaded in to Flash's cookie space.
Any session cookies created by the upload script are maintained in-memory in Flash's cookies space. New persistant cookies are created on disk (which you can see in %USERPROFILE%\cookies) and will immediately appear in IE. Cookies created in the Flash cookie space will not appear in any of the browser's "view cookie" tools.
All Flash Movies share the same per browser cookie space which is maintained until the browser is closed (i.e., multiple tabs in FireFox will share the same Flash cookie space but FireFox and Safari maintain separate Flash cookie spaces).
I've carefully tested this issue in FireFox 3 and IE 7 on Windows XP Pro with Flash Player 9.0.115. I also did some basic testing in Opera 9.24 and the Safari Beta for Windows. I plan to create a new demo which will demonstrate my findings.
I have not tested this issue on OS X or in Linux.
Cookie Bug Demo
I've created a Cookie Bug demo which you can see at http://demo.swfupload.org/cookiebugdemo/. Please follow the instructions before saying that it doesn't do anything.
Remember that this is not a bug in SWFUpload but in the Flash Player.
This might be considered a proof of concept for a Flash security issue or as a tricky way to communicate between IE and another browser using Flash.
What are the effects?
Just wondering:
What are the effects of this bug to watch out for?
How does it limit us with 2.10?
Should we be working around it in some way?
Regards,
LTG
ecards & greeting cards
Re: Effects
1) Any cookies from a non-IE browser (ie, authentication, login, etc) will not be sent with the file upload. Rather the cookies from IE will be sent. So, no cookies or the wrong cookies will be sent. In most cases this means sessions and cookie based authentication are lost when making an upload.
2) Cookies set by the upload script do get set, but only for Flash. The browser will not see them.
3) This bug affects Flash 8 and Flash 9 and all versions of SWFUpload
4) You cannot rely on cookies when using SWFUpload (or any Flash based upload tool). You must send the data you need from the cookies in another way. There are several threads regarding this issue in the forum and many of the demos show workarounds for restoring PHP sessions and some sample files show how to restore the cookies so Session and Authentication are restored in ASP.Net.
5) This could be considered a security issue but probably not severe enough to actually compromise any data. The cookies created in IE by Flash still have all the rules and restricts associated with cookies in any browser.
thanks
for helping to understand this one--
Seems crazy that Adobe isn't all over this.
Cookies and Drupal
At last I found a solution that enables the use of SWFUpload with Drupal (and have Mac users be able to make it to the party), while leaving the core code intact.
Check it out (if you need more details I will provide):
http://blog.ascaniocolonna.com/?p=23
Ive just made a post on the
Ive just made a post on the CodeIgniter forums about this issue as well..
http://codeigniter.com/forums/viewthread/77044/