Comments on: Firefox, Flex URLRequest, and Sessions Issue http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/ Adobe Flex & AIR Development Mon, 19 Jul 2010 17:26:43 +0000 hourly 1 By: Frank Metal http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/#comment-20004 Frank Metal Thu, 11 Feb 2010 23:44:39 +0000 http://thanksmister.com/?p=59#comment-20004 Thanks, my problem was solved passing the session id back to php And in php I do as follows: session_id($_POST['sid']); session_start(); Hope this help others Thanks, my problem was solved passing the session id back to php
And in php I do as follows:

session_id($_POST['sid']);
session_start();

Hope this help others

]]> By: Artem Brigert http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/#comment-18563 Artem Brigert Wed, 09 Dec 2009 11:11:41 +0000 http://thanksmister.com/?p=59#comment-18563 Great ! same problem has also Flash 10 + FF + MP3, request.url = urlVar+"?rand="+Math.random(); Thank you! Great !
same problem has also Flash 10 + FF + MP3, request.url = urlVar+”?rand=”+Math.random();

Thank you!

]]> By: mankenler http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/#comment-15407 mankenler Thu, 20 Aug 2009 12:15:57 +0000 http://thanksmister.com/?p=59#comment-15407 In Flash 9, the techniques described above (for the LoadVars class) do not work for any browser-provided header (e.g. User-Agent, Host and Referer), nor probably for many "protected" headers such as Content-Length. Still, headers like Expect can be sent, so some attacks (e.g. Example 1 above) are still effective with Flash 9. In Flash 9, the techniques described above (for the LoadVars class) do not work for any browser-provided header (e.g. User-Agent, Host and Referer), nor probably for many “protected” headers such as Content-Length. Still, headers like Expect can be sent, so some attacks (e.g. Example 1 above) are still effective with Flash 9.

]]> By: Perilin http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/#comment-14912 Perilin Tue, 04 Aug 2009 06:53:23 +0000 http://thanksmister.com/?p=59#comment-14912 Yep, found that out too a bit later on. My project was for a closed LAN and it worked perfectly (I'm guessing Flash player assumes local IPs are "trusted" or some such). I've been trying to fool it into thinking any IP is trusted but no luck. My only other guess would be to develop some sort of "proxy" script using the session-id-on-url trick that then hands the data over to the 's authentication and uploading system. In the system I used (JAWS CMS) it gets the session ID exclusively from the cookie, so the GET trick won't work, ergo a proxy script is the best bet. Best of luck! Yep, found that out too a bit later on. My project was for a closed LAN and it worked perfectly (I’m guessing Flash player assumes local IPs are “trusted” or some such). I’ve been trying to fool it into thinking any IP is trusted but no luck. My only other guess would be to develop some sort of “proxy” script using the session-id-on-url trick that then hands the data over to the ‘s authentication and uploading system.

In the system I used (JAWS CMS) it gets the session ID exclusively from the cookie, so the GET trick won’t work, ergo a proxy script is the best bet.

Best of luck!

]]> By: HELP! http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/#comment-14894 HELP! Mon, 03 Aug 2009 20:20:19 +0000 http://thanksmister.com/?p=59#comment-14894 So how did he get it to work? So how did he get it to work?

]]> By: HELP! http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/#comment-14893 HELP! Mon, 03 Aug 2009 20:19:56 +0000 http://thanksmister.com/?p=59#comment-14893 Looking at Perlin's comment's but perlexed: That method produces: ArgumentError: Error #2096: The HTTP request header Cookie cannot be set via ActionScript. at flash.net::URLStream/load() at flash.net::URLLoader/load() Compiling using Flex Builder 3. Why? Have done some research and found that not allowing this is secruity feature in newer flash players: From.. : <a href="" rel="nofollow">http://www.securiteam.com/securityreviews/5KP0M1FJ5E.html </a> <cite> In Flash 9, the techniques described above (for the LoadVars class) do not work for any browser-provided header (e.g. User-Agent, Host and Referer), nor probably for many "protected" headers such as Content-Length. Still, headers like Expect can be sent, so some attacks (e.g. Example 1 above) are still effective with Flash 9.</cite> Looking at Perlin’s comment’s but perlexed:

That method produces:
ArgumentError: Error #2096: The HTTP request header Cookie cannot be set via ActionScript.
at flash.net::URLStream/load()
at flash.net::URLLoader/load()

Compiling using Flex Builder 3.

Why?

Have done some research and found that not allowing this is secruity feature in newer flash players:
From.. : http://www.securiteam.com/securityreviews/5KP0M1FJ5E.html


In Flash 9, the techniques described above (for the LoadVars class) do not work for any browser-provided header (e.g. User-Agent, Host and Referer), nor probably for many “protected” headers such as Content-Length. Still, headers like Expect can be sent, so some attacks (e.g. Example 1 above) are still effective with Flash 9.

]]> By: konyachat http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/#comment-14855 konyachat Sun, 02 Aug 2009 09:47:43 +0000 http://thanksmister.com/?p=59#comment-14855 thankyou thankyou

]]> By: Perilin http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/#comment-14067 Perilin Tue, 14 Jul 2009 11:23:49 +0000 http://thanksmister.com/?p=59#comment-14067 I had the same problem, but appending the session id to the url didn't work. Luckily AS3/Flex has the URLRequestHeader component, which works quite well. To get the cookie from AS3: [as] public var cookieStr:String; public var cookieHeader:URLRequestHeader; ... ExternalInterface.call('eval','window.cookieStr = function () {return document.cookie};') cookieStr = ExternalInterface.call('cookieStr'); cookieHeader = new URLRequestHeader("Cookie",cookieStr); [/as] Then when you're using your URLRequest object: [as] var urlRequest:URLRequest; urlRequest = new URLRequest(... blah blah, url here, etc etc); urlRequest.requestHeaders.push(cookieHeader); [/as] Hope this helps somebody :) I had the same problem, but appending the session id to the url didn’t work.
Luckily AS3/Flex has the URLRequestHeader component, which works quite well.

To get the cookie from AS3:

1
2
3
4
5
6
public var cookieStr:String;       
public var cookieHeader:URLRequestHeader;
...
                    ExternalInterface.call('eval','window.cookieStr = function () {return  document.cookie};')
cookieStr = ExternalInterface.call('cookieStr');  
cookieHeader = new URLRequestHeader("Cookie",cookieStr);

Then when you’re using your URLRequest object:

1
2
3
var urlRequest:URLRequest;
urlRequest = new URLRequest(... blah blah, url here, etc etc);
urlRequest.requestHeaders.push(cookieHeader);

Hope this helps somebody :)

]]> By: dofus http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/#comment-13346 dofus Sat, 30 May 2009 05:26:28 +0000 http://thanksmister.com/?p=59#comment-13346 thanks ^^ thanks ^^

]]> By: sohpet http://www.thanksmister.com/index.php/archive/firefox-flex-urlrequest-and-sessions-issue/#comment-12373 sohpet Mon, 06 Apr 2009 05:16:02 +0000 http://thanksmister.com/?p=59#comment-12373 Thanks Thanks

]]>