Sharing sessions between html and flash

cookieThis has been an issue that has been driving me pretty crazy.. I can't seem to find out how to share a (cookie-)session between flash and php.

The problem is that in certain situations Flash ignores session cookies when sending requests. The situations I know of are Flash Uploads and using Flash Remoting in internet explorer.

I asked my question on #webappsec and on the web application security mailing list, but there wasn't really somebody who could answer my quesion..


  1. I can pass the session id using flashvars directly. Problem with this is, is that the session id is directly embedded into the html and can therefore be stolen using CSRF.
  2. I can use a temporary token, but anybody who has this token can do everything the user can in the flash application. For just the uploads it can work, but for everything else its not really flexible, and doesn't really fix the problem.
  3. I could turn off httponly cookies and pass the session id using javascript straight to the flash movie.. This could be me only option, but I dislike it because its not as transparent as it should be and requires additional logic using javascript and flash (and php).
  4. Force the user to login when using flash.. Not really a nice solution from a usuability perspective..

I'm wondering how other people go about this.. Is there a satisfying solution at all? Or can it only be done using a combination of nasty hacks?

Web mentions


  • Trauma


    I ran into this very same problem a few days ago. Ultimately, I wasn't able to find any real solutions that I liked. So I ended up using javascript and something similar to your #2 option.

    It seems like there should be some mechanism for Flash to just piggyback the browser session cookie as long as it's communicating with the same server as the browser.
  • Campbell


    Yeah standard requests that are made from flash (ie not remoting etc) all are proxied through the browser soooo.
    I you are really concerned with security use a challenge response type setup. Make a standard http/s request (which will include the session id automatically) handle that in php etc and send back a response key that in you server side mapps to the session id. then in your remoting code pass that with the object. All a little too involved so make sure your security is really needed.
  • Evert



    I like your solution a lot.. didn't think of handling it that way.

    I am wondering about what happens if a malicious site makes a request to the url which distributes the tokens..
  • Manfred Weber

    Manfred Weber

    Mind to explain me how someone should steal the session when you embedd the flashvars id into html (#1)? I don´t see any security issue here.
  • Evert


    Read up on CSRF (cross-site request forgery)

    Basically somebody can embed for example an iframe on another site containing the application..

    Then all you have to do is a simple search in html for the session and your done..
  • Manfred Weber

    Manfred Weber

    ah, ic. Still not 100% sure about it but ok. Why not simply using getURL() or the mx.service.Webservice:
  • Evert


    The main problem is that a user logs into a (html-based) web application.

    We know the user is logged in and its privileges using a session cookie.. This cookie contains a unique id we match on the server with some information telling us the user is actually logged in.

    However, some parts of our application are flash-based.. such as a file uploader. Flash doesn't automatically send the session cookie in those situation, so we can't check anymore what user it is, if he's logged in and what its privileges are..

    One way to solve the problem is to tell flash directly what the contents of the session cookie is, pass it to the server while uploading and on the server side re-connect it to the session information..

    That leaves us with one final problem, how to pass that session cookie securely to the flash movie.. If somebody gets their hands on a session cookie of a logged in user (or admin) it will automatically mean they will gain all the privileges of that admin and possibly abuse it.

    Hope that helps
  • Manfred Weber

    Manfred Weber

    If I understand that right than you could create a Flash Movie which identifies against the server session_id with getUrl(), etc. (Not within the flash-tag within the html page). Now I am just wondering if CSRF will also work because one could for instance create an invisible frame with that specific swf file embedded and then listen to what is send or received fom that hidden frame?
  • Epoch


    I'd recommend the option where Flash requests the cookie via JavaScript. If you're concerned about cross-domain hacks, simply don't store the user's access key as a Flash SharedObject, and request it from JavaScript each time from Flash to be kept temporarily in memory as a variable. This access key will already be stored as a cookie on the user's disk. If the cookie is flagged to transfer as encrypted only, simply append https:// to the URLs you'll be sending that access key from Flash.

    As far as order of operations go, there shouldn't be any synchronization issues with this approach, but if you believe it could be a potential problem, that's easily solved by an event-design.
  • AMacDonald


    check your mail :)
  • temuri


    I am trying to implement SWF uploader component with PHP as a backend. The problem I'm having has already been discussed before - how to propagate user session to pages that you access with Flash network request.

    Here is the link on the topic:

    Have you been able to figure out the best way of doing it?

    Here's the scenario in details:

    1. Upload page containing SWF uploader is accessible to authorised users
    2. A user logs in on HTML page (plain old
    ) and gains access to HTML page containing SWF uploader.
    3. Files are posted to "upload.php" on the server.
    4. upload.php should already be aware of the existing user session to place uploaded files into user's home folder and to create correct database records.

    So the problem is with item #4. A new session is created by upload.php, thus losing authentication info.

    Any ideas on how to solve it?

    By the way, I experience this problem only with Firefox. Oddly enough, in IE "upload.php" does remebers the session!

  • Evert


    My solution was to disable httponly cookies (slightly reduces security on IE) and to dynamically pass the session using javascript..

    Javascript can simply access the cookie, and by not embedding it straight in the page there's less of a security risk.
  • JWT


    Your answer is yes and no. All depends.. Remoting can hold a session, file uploading will not in firefox, but does in IE because of a bug in IE (not talking the latest version of IE, I don't know about that one). Simply creating a session via remoting causes IE to use that session as well as Flash as far as remoting is concerned. If your goal is to do a secure login before upload via Flash+php, then you either need to use IE or force Firefox to use the new session via JavaScript. Flash and session management can be a real pain, specially when you don't want to reload a swf because of a session change.
  • jules


    my understanding is that the firefox problem on windows with swf-based uploads is that the flash plugin piggy-backs IEs network engine to do the upload. So essentially, from the server's point of view, it is a new IE session. So the browser needs to tell the swf the 'real' session ID and then the .swf needs to pass that on upload, from what I recall reading.
  • Gary Stanton

    You guys need to keep it simple. I assume that if you are uploading stuff then you are also storing information about it in some sort of database, e.g. mySQL.

    If this is the case simply create the mySQL entry prior to uploading, and give it a unique ID in the mySQL database. Then just pass the upload ID to the flash uploader.

    You would also have an 'uploaded' column in the mySQL table of data type boolean. This would be false at first, but you set it to true once the upload is complete. Once the uploaded column is set to true that upload ID has expired. You can even put a column containing the timestamp of when the mySQL enrty was created, and make sure the upload is started within a few minutes or so after.
  • Gary Stanton

    Oh, and guys, there is no risk of the session id being discovered if you embed the session id in the page. Although you are correct in saying that another site could open your flash application in an iframe, the site could not do "a simple search in html for the session and your done"; this is because browser cross domain restrictions prevent access to the HTML in your page from any different domains.

    I dont think you correctly understand the concept of CSRF.
  • Evert



    Your right, there's no direct risk of having the session directly in the html, and I made a mistake there..

    however, before I always had the id directly in the flashvars, one thing I noticed that since our swfs generally end up at a number of places.. at times the session id was just copy-pasted or hardcoded at a number of spots and indirectly it became an issue..

    I like the javascript approach, because its more or less transparent..
  • Evert


    Also, your other comment about keeping it simple.. thats a design choice.. If you are dealing with a flash app that has to upload more than one file in a session, it would have to fetch an id before every upload.

    There's pro's and cons, and my definition of simple was in this case not having an extra request to the server..
  • Mark Claudius Png

    Mark Claudius Png

    Use PHP's session_id() feature. This is what you do, although not very secure for now, but just to show you an example:

    Use PHP to pass the value of session_id() to Javascript.
    Pass this value as Flashvars (e.g. sessionID).
    In Flash, you can access this using root.loaderInfo.parameters.sessionID.
    When you do a call, make sure the URLRequest has the additional ?sessionID=root.loaderInfo.parameters.sessionID
    In your PHP script 'before' you call session_start, use session_id($_GET['sessionID']) to set your session.

    this way you maintain your authentication. Got a problem, write back to me. Works on my apps tho.
  • Raghvendra


    why don't you make a login box in flash, to send user/pass to PHP script for validation - and then the PHP script could return the SESSION_ID on successful validation[sendAndLoad()].

    you could also make a global variable to hold that session ID for ever[till log-off].

    or if session has already been started in HTML; then you may make room for LoadVars("page.php") in first frame to retrieve SESSION_ID from PHP page when the movie loads.
    [php page should echo() the session id if session has been started]
  • Evert


    If the session already started, and you'll do a LoadVars you will actually start a new session in some browsers. Wouldn't be able to tell you off hand which one as this post is 2,5 years old, but I believe IE is the main culprit.

    Also to comment on mark, you're completely misunderstanding the issue. It's easy to get a hold of the actual id, but how to you pass the id in a responsible/secure matter.

    In any event, I feel sessions in general aren't very secure here. I've started to use signed messages based on a public key.
  • Matt Montag

    Matt Montag

    Interesting conversation here. Good to see the recent comments. I will keep investigating...