Solve swfupload in Chrome, Firefox browser session can not find the problem

SWFUpload is a very good asynchronous upload component, but it can be problematic when used in Chrome, Firefox, and other browsers. The problem is as follows: In order to prevent skipping the upload page directly to the "Accept SWFUpload upload General handler" (if it is upload.ashx) send the request caused Webshell vulnerability, my system for UPLOAD.ASHX has permission control, only the logged-on user can upload. There is no problem under IE, but the error "user not logged in" is running under chrome.

After the search to know: Because SWFUpload is uploaded by Flash,flash in IE will be the current page cookie sent to Upload.ashx, but Chrome, Firefox does not send cookies from the current page to Upload.ashx. because the session is implemented by the SessionID saved in the cookie , This is because the current page cookie is not passed to the flash request Upload.ashx, so the requested file is sent to Upload.ashx is a new session, of course, this session is not logged in.

The idea of solving this problem is also very simple, that is, manually pass the SessionID to the server, and then the server read out the SessionID and then load the session. In fact, the solution to the problem is given in the demo, which is to set the Post_params parameter in the SWFUpload constructor: SWFUpload

SWFU = new SWFUpload ({                    Post_params: {    &N Bsp                   "Aspsessid": "<%=session.sessionid%>"     & nbsp              } post_ The key-value pairs set in the params are passed to upload.ashx as form forms, which means that SWFUpload provides an interface for adding custom request parameters to the request.   The above code to write the current page SessionID to the Aspsessid value, when the user uploads the file, Aspsessid will be delivered to the server, Global.asax Application_ Add the following code in BeginRequest:            var Request = httpcontext.current.request;    &NB Sp       var Response = httpcontext.current.response;             try            {                Session_param_name string = " Aspsessid ";                String session_cookie_name =" Asp.net_sessionid "; &nbsp ;               if (httpcontext.current.request.form[session_param_name]! = null)                 {                    Updatecookie (Session_co Okie_name, Httpcontext.current.request.form[session_param_name]);               }                else if (httpcontext.current.request.querystring[session_ Param_name]! = null)                 {            &NB Sp       Updatecookie (Session_cookie_name, Httpcontext.current.request.querystring[session_param_name] );               }           }            catch (Exception)             {          &NBSP ;     Response.statuscode =500;                Response.Write ("Error Initializing Session");    &NB Sp      }                     The Updatecookie method is defined as follows: &NB Sp       static void Updatecookie (String cookie_name, String cookie_value)         {            HttpCookie cookie = HttpContext.Current.Request.Cookies.Get (cookie_name);            if (cookie = = null)             {      &NBS P         cookies = new HttpCookie (cookie_name);               / There is a problem with the code given in/swfupload's demo, which needs to be added with cookies. Expires settings                 cookies. Expires = DateTime.Now.AddYears (1);                                HTTPCOntext. Current.Request.Cookies.Add (Cookies);           }            C Ookie. Value = cookie_value;            HttpContext.Current.Request.Cookies.Set (cookie);  & nbsp    } 

Principle: When the user requests to arrive at the ASP. Application_BeginRequest method is called first, in the method to see whether the client submits up to Aspsessid, if any, then Write the value of the Aspsessid to the cookie ("Asp.net_sessionid" as the key, because the SESSIONID in ASP.) is stored in the cookie "Asp.net_sessionid" as key. The Application_BeginRequest method can then be read from the cookie to the "Asp.net_sessionid" value to restore the page's session.

If the site also uses the Membership FormsAuthentication verification, you also need to Authid also follow the SessionID method of processing, which is not mentioned in the article swfupload this bug processing.

Set the Post_params parameter in the SWFUpload constructor:

SWFU = new SWFUpload ({                    Upload_url: "/adminht/uploadar Ticleimg.ashx ",                    Post_params: {      &N Bsp                 "Aspsessid": "<%=session.sessionid%>",                        "AUTHID": "<%=request.cookies[formsauthentication.form Scookiename]. Value%> "                   },  in Global.asax Application_ BeginRequest Add the following code:            try            {                String auth_param_name = "AUTHID";            &NBS P   String auth_cookie_name = formsauthentication.formscookiename;             & nbsp   IF (Httpcontext.current.request.form[auth_param_name]! = null)                 {&nbs P                   Updatecookie (Auth_cookie_name, Httpcontext.current.request.form[auth_param_name]);               }                ELSE if (httpcontext.current.request.querystring[auth_param_name]! = nul L)                 {                    Updatecookie (Auth_cookie_name, Httpcontext.current.request.querystring[auth_param_name]);               }            }        &N Bsp   catch (Exception)             {                Response.statuscode = 500;          &NBSp     Response.Write ("Error Initializing Forms Authentication");           }

Fix swfupload in Chrome, Firefox browser session not found