When you build web applications with ASP.NET, you may find out that session is lost when uploading files through Image Uploader for Java in Firefox. This article describes how to solve this problem.OverviewWhen you try to upload files with Image Uploader in Firefox 2.0.0.5 or later you can find that your session cookies are lost.
This problem is related to:
- Image Uploader for Java (any version);
- Mozilla Firefox 2.0.0.5 or later;
- HTTP-only cookies usage.
ReasonFrom version 2.0.0.5, Firefox supports HTTP-only cookies and makes it impossible to read them using JavaScript. It increases security and prevents your site from cross-site scripting attacks. In particular such cookies are used in standard ASP.NET authentication mechanism.
When Java version of Image Uploader prepares a POST request before uploading it to the server, it extracts all cookies which are downloaded along with the page that hosts Image Uploader. To get cookie, Image Uploader uses the same object model as you do in JavaScript (as if you use
document.cookie).
However the browser does not allow Image Uploader to get HTTP-only cookies. That's why when you post files to the server, it does not get such cookies. In particular it means that ASP.NET is not able to identify the session properly, as well as other undesirable effects.
You may wonder why it worked earlier. The point is that earlier versions of Firefox (as well as other non-IE browsers) interpreted HTTP-only cookies in the same manner as traditional scriptable cookies. It was possible to get access to them through DOM, so Image Uploader did not loose them.
ResolutionTo avoid this problem you should use new
AddCookie(String) method, which appears in Image Uploader Dual build
4.5.50.0 (Java version version number is
2.5.50.0). If you have earlier version, you should download the latest release from the
product download page. This method explicitly attaches a cookie to the upload request.
NoteAlthough you can send traditional cookies this way, you should use it solely for HTTP-only cookies. Also, you should not use it for ActiveX version.
This method can be used in the BeforeUpload event handler. What you need is to pass to this method a cookie name-value pair as a string, separated with '=' character. The code snippet before demonstrates how to do it. Note, this sample is for ASP.NET only.
Code:<script language="javascript">
function ImageUploader1_BeforeUpload(){
getImageUploader("ImageUploader").AddCookie('<%=FormsAuthentication.FormsCookieName %>=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>');
}
var iu = new ImageUploaderWriter("ImageUploader", 770, 500);
iu.activeXControlEnabled = false;
iu.javaAppletEnabled = true;
//For Java applet we specify only directory with JAR files
iu.javaAppletCodeBase = "./";
iu.javaAppletCached = false;
iu.javaAppletVersion = "2.5.50.0";
iu.showNonemptyResponse = "off";
//Other parameters…
//Configure URL files are uploaded to.
iu.addParam("Action", "upload.aspx");
iu.addEventListener("BeforeUpload", "ImageUploader1_BeforeUpload");
iu.writeHtml();
</script>
Edited by user Friday, December 18, 2009 7:48:56 PM(UTC)
| Reason: Not specified