I'm using swfupload v2.1.0 with swfupload_f9.swf in an ASP.NET 2.0 application for IE7. Things have been working great! However, today I was looking at my website in IIS and noticed I was allowing anonymous access. The final release to my client cannot have anonymous access to the site. So, I unchecked this property. Now, I am hammered by a windows authentication dialog box for every file I attempt to upload.
From what I've read in the forums there are non-IE browser issues, however I'm running IE7. So, I added the browser cookie workaround to my Global.asax file. Still I am prompted.
Can someone please tell me what is going on and how to get around this??
Here is a look at the javascript in my user control... adapted from the ASP.NET sample:
*** Within page script tags ***
var swfuDbfFile;
// Because this user control overrides the window.onload event and multiple user controls need to initialize
// on this event we have changed the signature to initialize.... This MUST be called from the parent page
// in window.onload event.
//window.onload = function() {
//
var initializeDbfFileUpload = function () {
swfuDbfFile = new SWFUpload({
// Backend Settings
upload_url: "DbfFileUploadHandler.axd", // Relative to the SWF file.
post_params : {
"ASPSESSID" : "<%=Session.SessionID %>"
},
// File Upload Settings
file_size_limit : "2048", // 2MB
file_types : "*.dbf",
file_types_description : "DBF files",
file_upload_limit : "0", // Zero means unlimited
// Event Handler Settings - these functions are defined in SWFUploadHandlers.js
// The handlers are not part of SWFUpload but are part of my website and control how
// my website reacts to the SWFUpload events. Obtained from their ASP.NET sample.
file_queue_error_handler : fileQueueError,
file_dialog_complete_handler : fileDialogComplete,
upload_progress_handler : uploadProgress,
upload_error_handler : uploadError,
upload_success_handler : uploadSuccess,
upload_complete_handler : uploadComplete,
// Flash Settings
flash_url : "swf/swfupload_f9.swf", // Relative to this file
custom_settings : {
upload_target : "divDbfFileUploadFileProgressContainer",
toolName : "DbfFileUploadControl"
},
// Debug Settings
debug: true
});
}
March 28, 2008 - 4:53pm
You are confusing Cookie based authentication (aka Session based authentication, aka Forms Authentication) with HTTP Authentication (Basic Auth, Windows Authentication).
1) Flash Player (and so SWFUpload) does not properly handle HTTP Authentication. You get an HTTP Auth popup window but most often it won't authenticate.
2) Flash Player for non-ie browsers on Windows does not property handle cookies. The cookie work-around is this: Send the authentication/session cookie's value as part of the post and manually restore the right session/authentication in the application (overriding the applications automatic session/authentication handling).
Auth Explanation (maybe you already know all this but it might help others)
HTTP Authentication is handled at the Web Server/Browser level with HTTP response codes and HTTP headers. Once authenticated the browser remembers that you already authenticated to this site and just sends the auth data with each request (otherwise you'd have to re-auth with every request).
Cookie based authentication is used at the application layer. This is where your provide authentication (usually in a form) and a random number is generated and stored in a cookie. This cookie is sent back to the server on each request. The application layer (PHP, ASP, etc) looks at that cookie and restores authentication and/or session information.
March 31, 2008 - 7:48am
Thanks for the clarification. So, the issue I'm running into is that Flash does not properly handle HTTP authentication. This results in a Windows Auth dialog popping up for every file the user attempts to upload.
Do you know of any workarounds for this issue? Certainly, many folks out there must have run into this.
Thanks.
Jeff
March 31, 2008 - 12:10pm
There is no work-around that I know of that allows you to continue to use Windows Authentication.
A work-around is to retrieve a one time use security token from an authenticated page which SWFupload will pass to the "unsecured" upload page (with Windows Auth disabled). The application verifies the security token and accepts the upload. This is basically "cookie" based authentication. You'll have to decide if this is secure enough for your application.
One issue to watch out for is that the entire file will be uploaded *before* you application checks the security token. That means if the user doesn't have a valid authentication token they waste time uploading the file only to be rejected after the upload is complete. The way I understand it a webserver will reject an unauthorized access without waiting for the entire post to complete. The browse then shows the login prompt and the user doesn't upload the file twice.
In ASP.Net you can use use an HTTP Module or Handler to intercept the request and check token at the beginning of the request and you can return an error message before the file uploads. All this is a little beyond anything I've done before.
March 31, 2008 - 4:56pm
How does SWFUpload get the security token from the authenticated page to pass on to the upload page or http handler? Is this via a post_param?
By the way, I very much appreciate you taking the time to answer these questions!
Thanks,
Jeff
March 31, 2008 - 5:45pm
Is it possible to forcibly degrade SWFUpload so that it relies on javascript rather than flash? Wouldn't this be a valid workaround since SWFUpload is supposed to degrade gracefully; i.e. still work?
March 31, 2008 - 10:24pm
Graceful degradation is not automatic, but available. When the swfobject plugin you get events that will notify you if the correct version of Flash is or is not available. You also get the swfupload_loaded event which you can use to update the page to use SWFUpload.
In other words you design your upload form using a normal HTML upload. Then you configure SWFUpload and your handlers to dynamically replace the HTML upload form once SWFUpload has loaded.
In SWFUpload v1.0.2 this was more automatic but less flexible. In v2 it is less automatic but very configurable. With the swfobject plugin you get even better Flash Detection.
SWFUpload does rely on JavaScript and if it is not available using the HTML Form/Dynamic SWFUpload form as described the lack of JavaScript will not affect the detection. But if the user doesn't have JavaScript you'll probably want to use some NOSCRIPT tags to display a message reminding them of the cool functionality they are missing out on.
You can see samples of this behavior by uninstall Flash or disabling JavaScript and visiting the Demo Pages.
August 25, 2009 - 10:19am
Hi All,
I hope someone can help us out. Our issue isn't quite the same, but it's related.
I used the SWFUpload on in an admin tool, and it worked great while it was in development before we added security to it, then after we made the site secure, the upload won't work anymore.
We do our development in ColdFusion, which shouldn't really make any difference in this case. But the security we use is by SiteMinder.
So what's happening when I try to upload the file, is instead of sending back the properly formatted response from the server, somehow SiteMinder is preventing that, and instead the server response is below.
Any suggestions greatly appreciated. Your site won't let me paste the full response cause it has HTML tags in it, not sure if there is a way to paste the whole thing...
onLoad="document.AUTOSUBMIT.submit();">This page is used to hold your data while you are being authorized for your request.You will be forwarded to continue the authorization process. If this does not happen automatically, please click the Continue button below.
November 17, 2009 - 8:28am
In response to the first question: (I know it's probably irrelevant for the person who asked more than a year ago, but this may help someone else)
I've got exactly the same problem, i.e. needing to have windows authentication enabled.
What I did was set the individual files handling the upload to allow anonymous authentication. Thus "upload.aspx" & "delete.aspx" (or whatever your equivalent files are called) allow anonymous authentication, the rest of the site requires windows authentication.
In my environment doing this does not pose a serious threat as I mainly need windows authentication to get the domain username and a few other attributes of the user and don't really care that much about security, so be careful if this does not apply to you.
March 28, 2010 - 10:57am
Im facing the same situation as you described in the post. I used windows authentication. Could u pls. share me how u give anonymous access to files handling the upload. I tried with location tag but not successful. I used ASP .net.
With rgds,
nemo
March 29, 2010 - 12:22pm
I think you need to use the IIS admin tool to find the virtual directory and set the security. Turn on Anonymous and turn off Windows Auth.
Things have changed a bit in IIS 7 so this might not be applicable anymore.