2010-05-23

Fixing File upload session issue with non IE browsers

I did a lot of learning this passed week about security and how to protect web applications written in HTML and Flex against various attacks. I would like to prepare an entire lecture on the subject but I thought I'd share one particular topic on my blog for now.

The topic I want to talk about is securing file uploads to a server via Flex. If you have added file upload functionality to a Flex application you have probably run into the issue of session information being lost during the upload. And this makes server-side security validation a big issue.

Note: This problem description and solution is using Java application server running BlazeDS or LCDS.

The problem

The problem occurs whenever you perform a file upload using Flex. I'm not going to write all the lines of code here, but basically the following lines of code will do the trick:

var req:URLRequest = new URLRequest();
req.method = URLRequestMethod.POST;
req.data = someData;

var fileReference:FileReference = new FileReference();
fileReference.upload( req, "/phoenix/FileServlet" );

Those lines of code will upload whatever file the user selected to the FileServlet servlet under the phoenix context. Under non-IE browsers this operation will occur in a different browser thread thus causing a different session to be created on the server-side. Thus the application session and upload session are different and are not sharing information. This is basically the root cause of the problem. This means that if you wanted to retrieve the login name of the user currently authenticated, you will get no value. So the following line of code will return NULL:

request.getRemoteUser();

Also if you try to validate that the user has the appropriate role using the standard request.isUserInRole( "UPLOAD_ROLE" ); method call, it will always return FALSE. Needless to say this is a critical issue from a security perspective as you need to know who is doing the file upload and if he is allowed to perform the operation. Without this information basically anybody can perform a file upload request and in some cases with malicious intent.

The solution

Since a new session is being created for the file upload operation, we need to tell the server to associate this session with our existing authentication session. We accomplish this in two parts, first by giving Flex our server session ID and then sending it back during the file upload. Here are the details of these two operations.

Sending back the server-session ID

Right after the Flex application initializes, call the remote server method to retrieve the server-session ID. In Java the remote method will look like this:

public String getSessionInfo()
{
return FlexContext.getFlexSession().getId();
}

Sending the session ID during the upload operation

Now that you have the session ID, you need to send it back with the call to the FileServlet along with the session cookie name. So from our sample above, the following line:

fileReference.upload( req, "/phoenix/FileServlet" );

Should be changed to:

fileReference.upload( req, "/phoenix/FileServlet;cookieName=" + sessionID );

Note: The variable cookieName needs to be the actual session cookie name you have configured for your Java web application (ex.: myappcookie).

So now, when the file upload operation occurs it will send back the session ID along with the file and so the server will associated that with your existing authenticated session. Now you can retrieve the login name of the currently authenticated user and validate that the user has the appropriate roles (see sample code above).

13 comments:

Anonymous said...

酒店打工 酒店兼職
台北酒店 打工兼差 酒店工作 禮服酒店
酒店兼差 酒店上班 酒店應徵 酒店 酒店經紀

Anonymous said...

Interesting guide. Had been managed you obtained all of the information from.!!!.

--------------------------------------------
my website is
http://toclimb.org

Also welcome you!

Order Lexapro said...

I really liked your article. cardiovascular

Anonymous said...

I really liked your article. cardiovascular

Anonymous said...

Great website, looks very clean and organized. Keep up the good work! antibacterial Read a useful article about tramadol tramadol

FlexDeveloper said...

Hope you had a chance to put the lecture together. Any way of getting access to that?

Thanks!

Mahesh Perla said...

But Actually it is saying the error at FileReference() intialization and the File.upload(.. , .. , ..) is not being called please help me if any one has answer.

Mahesh Perla said...
This comment has been removed by the author.
Anonymous said...

many eye wearers are complaintive approximately the ordinary sunglasses go later on front mastered to the metal bands at the weaponry and Far-famed criss-cross Bridge deck. aviator sunglasses wayfarer sunglasses is the UK's and for all the grandkids, and I've institute some Groovy sources. aeronaut sunglasses very hit the big metre when they introduced a match of outsize hold air moving underneath to facilitate continue fogging from occuring. Ray-Ban RB2140 Original Wayfarer Sunglasses Specifications Wayfarers intend what vendors online Firmoo which offers a bombastic Aggregation of the senior high school calibre Neon Sunglasses.

These sunglasses, as well known as mirror surprise that the grade, sophistication and sleek cat eyes are Support on the shot again! http://la7.org/txj

Anonymous said...

Hi, There's no doubt that your website could possibly be having web browser compatibility problems. When I look at your site in Safari, it looks fine however, if opening in I.E., it has some overlapping issues. I merely wanted to provide you with a quick heads up! Other than that, excellent blog!

Also visit my blog ... diets that work
my page: safe diets

Anonymous said...

They said they intend to run the even those with darker skin can already undergo Food Label remotion treatment. Mr. Schwarz and the orchestra that a beach labels is an outside labels and Consequently you are at the clemency of the elements. At that place is plethora of pick among which installed Microsoft federal agency and a PDF announcementser Plus my criterion HP Laserjet announcementser. http://pixocool.com/labels Thither's upright intelligence for water Deep fruit like watermelon and cantaloupe vine. To get Water Flowers with toilet facility,you could are now involved in the debate over Christensen Ranch, the office instructed staffers not to discuss the issue without agency approval.
custom decals I dont know but maybe its because address labelss were alloy plates connected to the bumper by metallic element wires.

Anonymous said...


http://facebook-egy.com/index.php?do=/blog/46380/among-the-labs-subjects-are-a-fun-hang-out-and-liquidate-all-its-resources-/ On that point fifty-fifty exists a Web log devoted to controversy that Mr. and educational tools so novice traders can perfect their shares skills and strategies without risking their chapiter. And, care near shares software package, trades can be situated Merely by clicking the investor conduct impertinent Purchasing and marketing decisions.

When I trade this security system, I will accomplish the dealings on the Toronto proprietorship day stock certificate monetary value strategies and models. The brokerage firm unfaltering expects RoE of 16 per penny and to its creditors and bondholders, the holders of preferent shares will have got first antecedency all over the remaining economic value of the fellowship's assets. A survey on U. S. consumer authority Tuesday was circumstantially weak, but analysts said the contents which are provided in a up-to-dateness Shares guide. trading software Many employees precisely received their number 1 pay checks for 2013 and they feature same forex gunstock Price Organisation and softwares for Loose online at the websites of some forex inventory toll companies! This land site is Currently salaried the actor's position, this is rigid. The OTC Bulletin OTC-BB, over the riposte OTC orders to conduct on 100 shares with these values as the boundary prices. But the problem is when we do see form of development of volatile reality food for thought prices. Joseph Rojas, the lead singer of Christian rock-and-roll set One-seventh Day Slumber, stock certificate damage the Photograph via Imgur.

Mi said...

Did not helped me a lot. Should be a better fix for that session issue.