Het Bijstere Spoor

This has been an issue that has been driving me pretty crazy.. I can't seem to find out how to share a (cookie-)session between flash and php.

The problem is that in certain situations Flash ignores session cookies when sending requests. The situations I know of are Flash Uploads and using Flash Remoting in internet explorer.

I asked my question on #webappsec and on the web application security mailing list, but there wasn't really somebody who could answer my quesion..

Options

1. I can pass the session id using flashvars directly. Problem with this is, is that the session id is directly embedded into the html and can therefore be stolen using CSRF.
2. I can use a temporary token, but anybody who has this token can do everything the user can in the flash application. For just the uploads it can work, but for everything else its not really flexible, and doesn't really fix the problem.
3. I could turn off httponly cookies and pass the session id using javascript straight to the flash movie.. This could be me only option, but I dislike it because its not as transparent as it should be and requires additional logic using javascript and flash (and php).
4. Force the user to login when using flash.. Not really a nice solution from a usuability perspective..

I'm wondering how other people go about this.. Is there a satisfying solution at all? Or can it only be done using a combination of nasty hacks?

Renaun Erickson wrote an article about SabreAMF on Adobe DevNet. Be sure to check it out!

It explains how to create AMF services and provides a class that locates servers and automatically invokes methods using SabreAMF.

SabreAMF 0.4

0.4 was also released (actually it was a while back, so I'm a little late with announcing). Here's the changes:

1. Added SabreAMF_DetailException. This is an interface you can use on your exceptions. It introduces the getDetail() method, which allows you to provide more information about the exception that occured, in a way thats native for Flash and Flex.
2. Added SabreAMF_ClassNotFoundException, SabreAMF_UndefinedMethodException
   These are default exception classes you can use in your services and provide compatibility with the exceptions ColdFusion throws
3. Added event handlers for the classmapper, using this you can provide auto-class mapping features without knowing the classnames beforehand, here's an example:
   

   <?php
    
     function myClassMapper($remoteClass) {
    
       // this function receives a Flash/Flex class and should return 
       // the name of the corresponding PHP class or false
    
     }
    
     SabreAMF_ClassMapper::onGetLocalClass = "myClassMapper";
    
     // If you want to know how callbacks work, read about it here: http://www.php.net/manual/en/language.pseudo-types.php#language.types.callback
    
   ?>

4. Added an onAutenticate event to SabreAMF_CallbackServer, which provides a default way to handle authentication using Flash' setCredentials and Flex' setRemoteCredentials.
5. Fixed a small PHP 5.0.x compatibility bug (no guarantees for making it work, this was just low hanging fruit)

When there's a 1.0 I will work on a proper manual, explaining all the features. (or if there are volunteers to do it now ;) ).