Solve the Problem of swfupload in chrome, Firefox and other browsers

Address: http://www.cnblogs.com/rupeng/archive/2012/01/30/2332427.html

 

 

Swfupload is a very good asynchronous upload component, but it may cause problems when used in chrome, Firefox and other browsers. The problem is as follows: to avoid skipping the upload page and directly sending "Accept swfupload upload for general processing"Program"(For example, upload. ashx) sends a request to cause a webshell vulnerability. In my system, the upload. ashx permission is controlled, and only login users can upload the file. There is no problem in IE, but the error "user is not logged on" is reported when running in chrome ".

after searching, it is found that swfupload is uploaded by flash, flash sends the cookie of the current page to upload in IE. ashx, but chrome and Firefox do not send the cookie of the current page to upload. ashx. because session is implemented by the sessionid saved in the cookie (Asp. the net video tutorial describes the relationship between sessions and cookies. If you are not familiar with this, refer to "Chuan Zhi podcast video tutorial version 2011: Asp. net, so that the current page cookie will not be passed to the Flash Request Upload. ashx, so the requested file is sent to upload. ashx is a new session. Of course, this session is not logged on.

The idea for solving this problem is also very simple, that is, manually passing the sessionid to the server, then the server reads the sessionid and loads the session. In fact, the solution to the problem has been provided in the swfupload demo, that is, to set the post_params parameter in the swfupload constructor:

 
Swfu =NewSwfupload ({
Post_params :{
"Aspsessid": "<% = session. sessionid %>"
}
 

Copy code

The key-value pairs set in post_params are passed to upload. ashx in form, that is, swfupload provides an interface for adding custom request parameters to requests. The aboveCodeWrite the sessionid of the current page to the aspsessid value. After the user uploads the file, the aspsessid will be passed to the server. Add the following code to application_beginrequest of Global. asax:

             VaR Request = httpcontext. Current. request;
 VaR Response = httpcontext. Current. response;

 Try 
{
 String Session_param_name = "  Aspsessid  " ;
 String Session_cookie_name = "  ASP. net_sessionid  " ;

 If (Httpcontext. Current. Request. Form [session_param_name]! = Null )
{
Updatecookie (session_cookie_name, httpcontext. Current. Request. Form [session_param_name]);
}
 Else   If (Httpcontext. Current. Request. querystring [session_param_name]! = Null )
{
Updatecookie (session_cookie_name, httpcontext. Current. Request. querystring [session_param_name]);
}
}
Catch (Exception)
{
Response. statuscode = 500 ;
Response. Write ( "  Error initializing session  " );
}

Copy code

The updatecookie method is defined as follows:

         Static   Void Updatecookie ( String Cookie_name,String Cookie_value)
{
Httpcookie cookie = httpcontext. Current. Request. Cookies. Get (cookie_name );
 If (Cookie = Null )
{
Cookie = New Httpcookie (cookie_name );
 //  The code in the swfupload demo has a problem. You need to add the cookie. expires setting.  
 Cookie. expires = datetime. Now. addyears ( 1 );
Httpcontext. Current. Request. Cookies. Add (cookie );
}
Cookie. value = cookie_value;
Httpcontext. Current. Request. Cookies. Set (cookie );
}

Copy code

 

Principle: when a user request arrives at the ASP. NET engine, the application_beginrequest method is called first. In the method, check whether the client has submitted the aspsessid. If yesWrite the value of aspsessid to the cookie (with "ASP. net_sessionid" as the key, because sessionid in ASP. NET is saved in the cookie where "ASP. net_sessionid" is the key)After application_beginrequest, you can read the value of "ASP. net_sessionid" from the cookie to restore the session on the page.

If the website still uses the formsauthentication verification of membership, you also need to process the authid according to the sessionid method,This is the case when talking about swfupload.Article.

Set the post_params parameter in the swfupload constructor:

Swfu =NewSwfupload ({
Upload_url: "/adminht/uploadarticleimg. ashx ",
Post_params :{
"Aspsessid": "<% = session. sessionid %> ",
"Authid": "<% = request. Cookies [formsauthentication. formscookiename]. Value %>"
},
 

Copy code

Add the following code to application_beginrequest of Global. asax:

             Try 
{
 String Auth_param_name = "  Authid  " ;
 String Auth_cookie_name = formsauthentication. formscookiename;

 If (Httpcontext. Current. Request. Form [auth_param_name]! = Null )
{
Updatecookie (auth_cookie_name, httpcontext. Current. Request. Form [auth_param_name]);
}
 Else   If (Httpcontext. Current. Request. querystring [auth_param_name]! = Null )
{
Updatecookie (auth_cookie_name, httpcontext. Current. Request. querystring [auth_param_name]);
}

}
 Catch (Exception)
{
Response. statuscode = 500 ;
Response. Write ( "  Error initializing Forms authentication  " );
}

Copy code

 

swfupload is a very good asynchronous upload component, but it may cause problems when used in browsers such as chrome and Firefox. The problem is as follows: to avoid skipping the upload page and directly sending "general processing program for receiving swfupload uploads" (for example, upload. the webshell vulnerability occurs when a request is sent. ashx implements permission control. Only login users can upload data. There is no problem in IE, but the error "user is not logged on" is reported when running in chrome ".

after searching, it is found that swfupload is uploaded by flash, flash sends the cookie of the current page to upload in IE. ashx, but chrome and Firefox do not send the cookie of the current page to upload. ashx. because session is implemented by the sessionid saved in the cookie (Asp. the net video tutorial describes the relationship between sessions and cookies. If you are not familiar with this, refer to "Chuan Zhi podcast video tutorial version 2011: Asp. net, so that the current page cookie will not be passed to the Flash Request Upload. ashx, so the requested file is sent to upload. ashx is a new session. Of course, this session is not logged on.

The idea for solving this problem is also very simple, that is, manually passing the sessionid to the server, then the server reads the sessionid and loads the session. In fact, the solution to the problem has been provided in the swfupload demo, that is, to set the post_params parameter in the swfupload constructor:

 
Swfu =NewSwfupload ({
Post_params :{
"Aspsessid": "<% = session. sessionid %>"
}
 

Copy code

The key-value pairs set in post_params are passed to upload. ashx in form, that is, swfupload provides an interface for adding custom request parameters to requests. The above code writes the sessionid of the current page to the aspsessid value. After the user uploads the file, the aspsessid will be passed to the server. Add the following code to application_beginrequest of Global. asax:

             VaR Request = httpcontext. Current. request;
 VaR Response = httpcontext. Current. response;

 Try 
{
 String Session_param_name = "  Aspsessid  " ;
 String Session_cookie_name = "  ASP. net_sessionid  " ;

 If (Httpcontext. Current. Request. Form [session_param_name]! = Null )
{
Updatecookie (session_cookie_name, httpcontext. Current. Request. Form [session_param_name]);
}
 Else   If (Httpcontext. Current. Request. querystring [session_param_name]! = Null )
{
Updatecookie (session_cookie_name, httpcontext. Current. Request. querystring [session_param_name]);
}
}
Catch (Exception)
{
Response. statuscode = 500 ;
Response. Write ( "  Error initializing session  " );
}

Copy code

The updatecookie method is defined as follows:

         Static   Void Updatecookie ( String Cookie_name,String Cookie_value)
{
Httpcookie cookie = httpcontext. Current. Request. Cookies. Get (cookie_name );
 If (Cookie = Null )
{
Cookie = New Httpcookie (cookie_name );
 //  The code in the swfupload demo has a problem. You need to add the cookie. expires setting.  
 Cookie. expires = datetime. Now. addyears ( 1 );
Httpcontext. Current. Request. Cookies. Add (cookie );
}
Cookie. value = cookie_value;
Httpcontext. Current. Request. Cookies. Set (cookie );
}

Copy code

 

Principle: when a user request arrives at the ASP. NET engine, the application_beginrequest method is called first. In the method, check whether the client has submitted the aspsessid. If yesWrite the value of aspsessid to the cookie (with "ASP. net_sessionid" as the key, because sessionid in ASP. NET is saved in the cookie where "ASP. net_sessionid" is the key)After application_beginrequest, you can read the value of "ASP. net_sessionid" from the cookie to restore the session on the page.

If the website still uses the formsauthentication verification of membership, you also need to process the authid according to the sessionid method,This is not mentioned in other articles about swfupload bug handling.

Set the post_params parameter in the swfupload constructor:

Swfu =NewSwfupload ({
Upload_url: "/adminht/uploadarticleimg. ashx ",
Post_params :{
"Aspsessid": "<% = session. sessionid %> ",
"Authid": "<% = request. Cookies [formsauthentication. formscookiename]. Value %>"
},
 

Copy code

Add the following code to application_beginrequest of Global. asax:

             Try 
{
 String Auth_param_name = "  Authid  " ;
 String Auth_cookie_name = formsauthentication. formscookiename;

 If (Httpcontext. Current. Request. Form [auth_param_name]! = Null )
{
Updatecookie (auth_cookie_name, httpcontext. Current. Request. Form [auth_param_name]);
}
 Else   If (Httpcontext. Current. Request. querystring [auth_param_name]! = Null )
{
Updatecookie (auth_cookie_name, httpcontext. Current. Request. querystring [auth_param_name]);
}

}
 Catch (Exception)
{
Response. statuscode = 500 ;
Response. Write ( "  Error initializing Forms authentication  " );
}

Copy code