Sharing sessions between html and flash
This has been an issue that has been driving me pretty crazy.. I can't seem to find out how to share a (cookie-)session between flash and php.
The problem is that in certain situations Flash ignores session cookies when sending requests. The situations I know of are Flash Uploads and using Flash Remoting in internet explorer.
I asked my question on #webappsec and on the web application security mailing list, but there wasn't really somebody who could answer my quesion..
- I can pass the session id using flashvars directly. Problem with this is, is that the session id is directly embedded into the html and can therefore be stolen using CSRF.
- I can use a temporary token, but anybody who has this token can do everything the user can in the flash application. For just the uploads it can work, but for everything else its not really flexible, and doesn't really fix the problem.
- Force the user to login when using flash.. Not really a nice solution from a usuability perspective..
I'm wondering how other people go about this.. Is there a satisfying solution at all? Or can it only be done using a combination of nasty hacks?