Sessions and uploadify

Question

I\'m using uploadify, and i can\'t set sessions in my php files, my script looks like this:

    $(\"#uploadify\").uploadify({
        \'uploader\'       : \'         


        

Answer 1

This may work but from a security perspective is really bad practice. This would allow anyone with a valid sessionID to impersonate that session just by changing the sessionid. It would be better to do even a basic synchronous encryption of the sessionid with a secret key (known only to the backend code), and then decrypt it on the upload.php script.

Answer 2

$(document).ready(function() {



nombre = $('#uploadify1').val(); //first input

autor = $('#uploadify1').val();   // second one



$("#uploadify").uploadify({

    'uploader'       : UPLOADIFY_URL+'scripts/uploadify.swf',

    'script'         : 'ticket_docs_uploadify.php',

    'cancelImg'      : UPLOADIFY_URL+'cancel.png',

    'folder'         : 'ticket_document_uploads',

    'queueID'        : 'fileQueue',

    'checkScript'    : 'ticket_docs_check.php?nombre='+nombre+'&autor='+autor,

    'fileDesc'       : 'I am testing uploadify',

    'buttonText'     : 'Upload',

    'scriptData'     : {'sessTempTickedId': '<?php echo $_SESSION['sessTempTickedId'];?>', 'pkEmployeeID': '<?php echo $_SESSION['pkEmployeeID'];?>', 'EmployeeDepartment': '<?php echo $_SESSION['EmployeeDepartment'];?>' },

    'auto'           : false,

    'multi'          : true,        

    'onComplete'     : function(a, b, c, d, e){

        //alert(a+b+c+d+e);

    },

    'onAllComplete': function(event,data){

        //something here             alert('asdasd');             alert(json_decode(data));            

    }

});

});



<?php include_once('../../common/inc/connectdb.inc.php');

if (!empty($_FILES))

{

$tempFile = $_FILES['Filedata']['tmp_name'];

$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';

//change the file name here



$fileName = time();



$arrFile = pathinfo($_FILES['Filedata']['name']);



$strFileExt = strtolower($arrFile['extension']);



$strFileName = $arrFile['filename'];



$strFileBaseName = $arrFile['basename'];



$fileName = $fileName.'.'.$strFileExt;



$targetFile = str_replace('//','/',$targetPath) . $fileName;



$sql = "INSERT INTO ticket_documents (fkTicketID,fkEmployeeID,fkDepartmentID,TicketDocumentName,TicketDocumentLabel) VALUES ('".$_POST['sessTempTickedId']."','".$_POST['pkEmployeeID']."','".$_POST['EmployeeDepartment']."','".$fileName."','".$_FILES['Filedata']['name']."')";

mysql_query($sql) or die(mysql_error());



move_uploaded_file($tempFile,$targetFile);

echo "1";

}

?>

Answer 3

Here is the answer directly from uploadify: Using Sessions with Uploadify

In your .php that calls the ajax:

'scriptData': {'<?php echo session_name();?>':'<?php echo session_id();?>'},

And in your uploadify.php (receiving/saving program)

$session_name = session_name();

if (!isset($_GET[$session_name])) {
    exit;
} else {
    session_id($_GET[$session_name]);
    session_start();
}

I am using 2.1.4, and it works like a charm for session variables.

Answer 4

Add this before your external .js file with the uploadify implementation.

<!-- Get sesssionId -->
 <script type="text/javascript" charset="utf-8">
  var sessionId = "<?php echo session_id(); ?>";
 </script>

Then add this to the uploadify script.

$('#uploadify').uploadifySettings('scriptData', {'sessionId': sessionId});

PHP upload script needs this.

// Start session
 session_id($_POST['sessionId']);
 session_start();

All done!

Answer 5

After reading all the brilliant replies regarding both security and method, I've worked my own way around the problem, and I'll post it here for the benefit of others. Skip to the bottom for the solution, it's all that matters right? ;).

Uploadify uses it's own default session...

This is an annoyance that means that when accessing uploadify.php, any session variables you had previously stored can't be accessed from the current (uploadify) session. You're essentially looking at a session object that is completely unrelated to the session you made. Aaah, so what do we do, pass it through the javascript?

You "can" pass a reference to the session through javascript, but javascript is client (user) side, and because of this, a user can change the session reference before it is sent off to the server. He could effectively fake his session ID. This is actually terrifyingly dangerous, at least in the case of my application.

The solution...

Do NOT use the default session_start() on it's own, which AFAIK can not be referenced by an ID. Instead, every time you use session_start(), set an ID for the session you wish to use, (which I now feel is good practice regardless).

EVERY SINGLE TIME you wish to start a session

session_id("IDHere");

session_start();

IMPORTANT: Setting a unique session for each user.

Sessions are variables shared between the server and every other client connecting with reckless abandon. If you want to store session variables that are unique to each individual user of your site, the session_id HAS to be some sort of completely unique dynamic ID relative to that user. This can be accessed from a cookie, or more securely a database (the user's unique ID?).

Edit: After a bit of research, it seems that default sessions (without an ID) use the sessionID "PHPSESSID". So although I haven't tried it yet, setting session_id("PHPSESSID"), before you start the session in uploadify.php may fix the problem too.

But still, if a plugin just so happens to use an identical session variable to you inside the same session, problems could spring up, so it's probably best to make your session with it's own unique ID anyway.