I'm using uploadify and the script (which uses adobe flash) creates a new session instead of using the current one when requesting the upload action url. To fix that I need to pass ahead the session id.
Is there a way to do this without permit session fixation (hijacking)?
Here are some details of the problem: Sessions and uploadify
Thanks!
Create a temporary upload session in your script (untested, but you get the point about being able to have several different sessions):
<?php
//normal session
session_start();
//store sessionid for retrieval
$oldsessionid = session_id();
if($_SESSION['logged_in']){ //or however you check for a valid user
//stop old/normal session
session_write_close();
//create a new sessionname
$oldname = session_name('UPLOADSESSION');
//create a new id (fixed here, you might want a random number/char combo:
session_id('myuploadsessionid');
//start the session
session_start();
$_SESSION['upload'] = true;
$uploadid = session_id();
//now you can use `'data: "artist="+$fi+"&UPLOADSESSION="'.$uploadid` in uploadify
session_write_close();
}
//return to normal name
session_name($oldname);
//set old session id
session_id($oldsessionid);
//resume normal session
session_start();
So, in your receiving script:
<?php
session_name('UPLOADSESSION');
session_id($_POST['UPLOADSESSION']);
session_start();
if(isset($_SESSION['upload']) && $_SESSION['upload']){
//accept files
//invalidate session after this upload
$_SESSION['upload'] = false;
}
The user will still have 2 cookies, and possibly UPLOADSESSION is fixated, but you don't use it for anything else then uploading, and only for 1 upload (although you might want to allow more).
Alternatively, you could just call a session_regenerate_id(); on the first request after an upload (just set a flag in the $_SESSION on upload).