ASP.NET IE7 authentication issue
I'm using swfupload v2.1.0 with swfupload_f9.swf in an ASP.NET 2.0 application for IE7. Things have been working great! However, today I was looking at my website in IIS and noticed I was allowing anonymous access. The final release to my client cannot have anonymous access to the site. So, I unchecked this property. Now, I am hammered by a windows authentication dialog box for every file I attempt to upload.
From what I've read in the forums there are non-IE browser issues, however I'm running IE7. So, I added the browser cookie workaround to my Global.asax file. Still I am prompted.
Can someone please tell me what is going on and how to get around this??
Here is a look at the javascript in my user control... adapted from the ASP.NET sample:
*** Within page script tags ***
var swfuDbfFile;
// Because this user control overrides the window.onload event and multiple user controls need to initialize
// on this event we have changed the signature to initialize.... This MUST be called from the parent page
// in window.onload event.
//window.onload = function() {
//
var initializeDbfFileUpload = function () {
swfuDbfFile = new SWFUpload({
// Backend Settings
upload_url: "DbfFileUploadHandler.axd", // Relative to the SWF file.
post_params : {
"ASPSESSID" : "<%=Session.SessionID %>"
},
// File Upload Settings
file_size_limit : "2048", // 2MB
file_types : "*.dbf",
file_types_description : "DBF files",
file_upload_limit : "0", // Zero means unlimited
// Event Handler Settings - these functions are defined in SWFUploadHandlers.js
// The handlers are not part of SWFUpload but are part of my website and control how
// my website reacts to the SWFUpload events. Obtained from their ASP.NET sample.
file_queue_error_handler : fileQueueError,
file_dialog_complete_handler : fileDialogComplete,
upload_progress_handler : uploadProgress,
upload_error_handler : uploadError,
upload_success_handler : uploadSuccess,
upload_complete_handler : uploadComplete,
// Flash Settings
flash_url : "swf/swfupload_f9.swf", // Relative to this file
custom_settings : {
upload_target : "divDbfFileUploadFileProgressContainer",
toolName : "DbfFileUploadControl"
},
// Debug Settings
debug: true
});
}
Cookie Based vs HTTP Auth
You are confusing Cookie based authentication (aka Session based authentication, aka Forms Authentication) with HTTP Authentication (Basic Auth, Windows Authentication).
1) Flash Player (and so SWFUpload) does not properly handle HTTP Authentication. You get an HTTP Auth popup window but most often it won't authenticate.
2) Flash Player for non-ie browsers on Windows does not property handle cookies. The cookie work-around is this: Send the authentication/session cookie's value as part of the post and manually restore the right session/authentication in the application (overriding the applications automatic session/authentication handling).
Auth Explanation (maybe you already know all this but it might help others)
HTTP Authentication is handled at the Web Server/Browser level with HTTP response codes and HTTP headers. Once authenticated the browser remembers that you already authenticated to this site and just sends the auth data with each request (otherwise you'd have to re-auth with every request).
Cookie based authentication is used at the application layer. This is where your provide authentication (usually in a form) and a random number is generated and stored in a cookie. This cookie is sent back to the server on each request. The application layer (PHP, ASP, etc) looks at that cookie and restores authentication and/or session information.
So how to get around this issue?
Thanks for the clarification. So, the issue I'm running into is that Flash does not properly handle HTTP authentication. This results in a Windows Auth dialog popping up for every file the user attempts to upload.
Do you know of any workarounds for this issue? Certainly, many folks out there must have run into this.
Thanks.
Jeff
Work-arounds
There is no work-around that I know of that allows you to continue to use Windows Authentication.
A work-around is to retrieve a one time use security token from an authenticated page which SWFupload will pass to the "unsecured" upload page (with Windows Auth disabled). The application verifies the security token and accepts the upload. This is basically "cookie" based authentication. You'll have to decide if this is secure enough for your application.
One issue to watch out for is that the entire file will be uploaded *before* you application checks the security token. That means if the user doesn't have a valid authentication token they waste time uploading the file only to be rejected after the upload is complete. The way I understand it a webserver will reject an unauthorized access without waiting for the entire post to complete. The browse then shows the login prompt and the user doesn't upload the file twice.
In ASP.Net you can use use an HTTP Module or Handler to intercept the request and check token at the beginning of the request and you can return an error message before the file uploads. All this is a little beyond anything I've done before.
How does SWFUpload get the security token?
How does SWFUpload get the security token from the authenticated page to pass on to the upload page or http handler? Is this via a post_param?
By the way, I very much appreciate you taking the time to answer these questions!
Thanks,
Jeff
Forcibly degrade SWFUpload?
Is it possible to forcibly degrade SWFUpload so that it relies on javascript rather than flash? Wouldn't this be a valid workaround since SWFUpload is supposed to degrade gracefully; i.e. still work?
Graceful degradation
Graceful degradation is not automatic, but available. When the swfobject plugin you get events that will notify you if the correct version of Flash is or is not available. You also get the swfupload_loaded event which you can use to update the page to use SWFUpload.
In other words you design your upload form using a normal HTML upload. Then you configure SWFUpload and your handlers to dynamically replace the HTML upload form once SWFUpload has loaded.
In SWFUpload v1.0.2 this was more automatic but less flexible. In v2 it is less automatic but very configurable. With the swfobject plugin you get even better Flash Detection.
SWFUpload does rely on JavaScript and if it is not available using the HTML Form/Dynamic SWFUpload form as described the lack of JavaScript will not affect the detection. But if the user doesn't have JavaScript you'll probably want to use some NOSCRIPT tags to display a message reminding them of the cool functionality they are missing out on.
You can see samples of this behavior by uninstall Flash or disabling JavaScript and visiting the Demo Pages.