PRB: Image Uploader for Java looses HTTP-only cookies

Options

Previous Topic Next Topic

Fedor User Profile View All Posts by User View Thanks		#1 Posted : Monday, September 17, 2007 10:32:00 PM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 7/28/2003(UTC) Posts: 1,660 Thanks: 5 times Was thanked: 76 time(s) in 74 post(s)		When you build web applications with ASP.NET, you may find out that session is lost when uploading files through Image Uploader for Java in Firefox. This article describes how to solve this problem. Overview When you try to upload files with Image Uploader in Firefox 2.0.0.5 or later you can find that your session cookies are lost. This problem is related to: Image Uploader for Java (any version); Mozilla Firefox 2.0.0.5 or later; HTTP-only cookies usage. Reason From version 2.0.0.5, Firefox supports HTTP-only cookies and makes it impossible to read them using JavaScript. It increases security and prevents your site from cross-site scripting attacks. In particular such cookies are used in standard ASP.NET authentication mechanism. When Java version of Image Uploader prepares a POST request before uploading it to the server, it extracts all cookies which are downloaded along with the page that hosts Image Uploader. To get cookie, Image Uploader uses the same object model as you do in JavaScript (as if you use document.cookie). However the browser does not allow Image Uploader to get HTTP-only cookies. That's why when you post files to the server, it does not get such cookies. In particular it means that ASP.NET is not able to identify the session properly, as well as other undesirable effects. You may wonder why it worked earlier. The point is that earlier versions of Firefox (as well as other non-IE browsers) interpreted HTTP-only cookies in the same manner as traditional scriptable cookies. It was possible to get access to them through DOM, so Image Uploader did not loose them. Resolution To avoid this problem you should use new AddCookie(String) method, which appears in Image Uploader Dual build 4.5.50.0 (Java version version number is 2.5.50.0). If you have earlier version, you should download the latest release from the product download page. This method explicitly attaches a cookie to the upload request. Note Although you can send traditional cookies this way, you should use it solely for HTTP-only cookies. Also, you should not use it for ActiveX version. This method can be used in the BeforeUpload event handler. What you need is to pass to this method a cookie name-value pair as a string, separated with '=' character. The code snippet before demonstrates how to do it. Note, this sample is for ASP.NET only. Code: <script language="javascript"> function ImageUploader1_BeforeUpload(){ getImageUploader("ImageUploader").AddCookie('<%=FormsAuthentication.FormsCookieName %>=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>'); } var iu = new ImageUploaderWriter("ImageUploader", 770, 500); iu.activeXControlEnabled = false; iu.javaAppletEnabled = true; //For Java applet we specify only directory with JAR files iu.javaAppletCodeBase = "./"; iu.javaAppletCached = false; iu.javaAppletVersion = "2.5.50.0"; iu.showNonemptyResponse = "off"; //Other parameters… //Configure URL files are uploaded to. iu.addParam("Action", "upload.aspx"); iu.addEventListener("BeforeUpload", "ImageUploader1_BeforeUpload"); iu.writeHtml(); </script> Edited by user Friday, December 18, 2009 7:48:56 PM(UTC) \| Reason: Not specified
		Best regards, Fedor Skvortsov

Pierre User Profile View All Posts by User View Thanks		#2 Posted : Tuesday, January 15, 2008 5:31:08 AM(UTC)
Rank: Newbie Groups: Member Joined: 1/15/2008(UTC) Posts: 2		Thanks for this post. You wrote: "you should not use it for ActiveX version". Actually, I am using ImageUploader Dual, and when I write the BeforeUnload function, I do not know whether the java applet or the ActiveX is being used. - Does not the iu object expand a method or property that indicates whether the component being used is the ActiveX or the Applet java? - How can I determine (run time) whether I need or not to call the AddCookie method? - What is the problem if I call AddCookie when using the ActiveX? Thanks!

Pierre User Profile View All Posts by User View Thanks		#3 Posted : Tuesday, January 15, 2008 7:08:30 PM(UTC)
Rank: Newbie Groups: Member Joined: 1/15/2008(UTC) Posts: 2		I found the answer myself. In order to introduce the fix without bothering whether using the ActiveX or the Java applet, we can test the AddCookie method before: Code: `function ImageUploader1_BeforeUpload(){ var iu = getImageUploader("ImageUploader1"); if (iu.AddCookie) iu.AddCookie('<%=FormsAuthentication.FormsCookieName %>=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>'); }` In such a way, iu.AddCookie will not be called in the case the ActiveX is used. Edited by user Friday, December 18, 2009 7:49:33 PM(UTC) \| Reason: Not specified

Fedor User Profile View All Posts by User View Thanks		#4 Posted : Wednesday, January 16, 2008 12:11:43 AM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 7/28/2003(UTC) Posts: 1,660 Thanks: 5 times Was thanked: 76 time(s) in 74 post(s)		Hello, Thank you for useful code sample. You can use also use getControlType() method of ImageUploaderWriter: Code: <script language="javascript"> function ImageUploader1_BeforeUpload(){ getImageUploader("ImageUploader1").AddCookie('<%=FormsAuthentication.FormsCookieName %>=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>'); } var iu = new ImageUploaderWriter("ImageUploader", 770, 500); iu.activeXControlEnabled = false; iu.javaAppletEnabled = true; //For Java applet we specify only directory with JAR files iu.javaAppletCodeBase = "./"; iu.javaAppletCached = false; iu.javaAppletVersion = "2.5.50.0"; iu.showNonemptyResponse = "off"; //Other parameters… //Configure URL files are uploaded to. iu.addParam("Action", "upload.aspx"); if (iu.getControlType() == "Java"){ iu.addEventListener("BeforeUpload", "ImageUploader1_BeforeUpload"); } iu.writeHtml(); </script> In this case ImageUploader1_BeforeUpload event handler will be called for Java version only. Edited by user Sunday, February 24, 2008 5:44:35 PM(UTC) \| Reason: Not specified
		Best regards, Fedor Skvortsov

StewartR3 User Profile View All Posts by User View Thanks		#5 Posted : Tuesday, March 4, 2008 9:04:47 PM(UTC)
Rank: Newbie Groups: Member Joined: 3/4/2008(UTC) Posts: 9		I am using ASP Classic. What is the code to use in place of "<%=FormsAuthentication.FormsCookieName %>=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>"? My Image Uploader is version 5.0.40

Fedor User Profile View All Posts by User View Thanks		#6 Posted : Wednesday, March 5, 2008 4:23:04 AM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 7/28/2003(UTC) Posts: 1,660 Thanks: 5 times Was thanked: 76 time(s) in 74 post(s)		carolyn@digicastcards.com wrote: I am using ASP Classic. What is the code to use in place of "<%=FormsAuthentication.FormsCookieName %>=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>"? My Image Uploader is version 5.0.40 Do you use authentication based on standard ASP sessions (Session.SessionID and so on)?
		Best regards, Fedor Skvortsov

Eugene Kosmin User Profile View All Posts by User View Thanks		#7 Posted : Tuesday, March 18, 2008 5:09:41 PM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 9/19/2006(UTC) Posts: 505 Was thanked: 41 time(s) in 41 post(s)		There is a small web application in the attachment which demonstrates AddCookie method usage. This is small ASP.NET code snippet written on vs2005/.NET 2.0, based on An Overview of Forms Authentication tutorial. I think it could be helpful in some cases, because AddCookie method question is still one of the most wanted. P.S. There is readme.txt inside attachment with additional information. File Attachment(s): AddCookieSnippet.zip (11kb) downloaded 180 time(s).
		Best regards, Eugene Kosmin The Aurigma Development Team

Fedor User Profile View All Posts by User View Thanks		#8 Posted : Wednesday, March 19, 2008 8:41:29 PM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 7/28/2003(UTC) Posts: 1,660 Thanks: 5 times Was thanked: 76 time(s) in 74 post(s)		Also I want to add that classic ASP can use different random cookie names for working with sessions. For example here are the examples of such cookies names: ASPSESSIONIDQSADRADT=DJGKPNMACDAJEPGHHKEPFOEB ASPSESSIONIDQSCCTBDS=NPKKPFKAPCNEEBMEKIDCPNKG ASPSESSIONIDSSCARBCS=JDCHGKPAOJFMKEAGIIMLGCAD It is not just ASPSESSIONID but ASPSESSIONIDSOME_RANDOM_IN_THE END. I have not found the way how to know the session cookie name on server side.
		Best regards, Fedor Skvortsov

andrewh User Profile View All Posts by User View Thanks		#9 Posted : Tuesday, May 6, 2008 5:38:55 AM(UTC)
Rank: Newbie Groups: Member Joined: 5/6/2008(UTC) Posts: 4		Hi, forgive me if this is a rather daft question, but I have been trying to get these fixes to work for Firefox for a few days now and I keep getting weird error messages that suggest to me I've done something a bit stupid It falls over in FF with the following error: BC30034: Bracketed identifier is missing closing ']'. and highlights the line below (Marked) Everything works fine in IE (without the fix for redirect), so it is def soemthing to do with this line. Any help greatly appreciated. regards Andrew Code: <script type="text/javascript"> //Create JavaScript object that will embed Image Uploader to the page. var iu = new ImageUploaderWriter("ImageUploader1", 650, 400); function ImageUploader_BeforeUpload() { // Here we are adding Authentication cookies manually // ******** ERROR LINE getImageUploader("ImageUploader").AddCookie('<%=FormsAuthentication.FormsCookieName %>=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>;'); // ******** ERROR LINE } //For ActiveX control full path to CAB file (including file name) should be specified. iu.activeXControlCodeBase = "gallery/ImageUploader5.cab"; iu.activeXControlVersion = "5,0,15,0"; //For Java applet only path to directory with JAR files should be specified (without file name). iu.javaAppletJarFileName = "ImageUploader5.jar"; iu.javaAppletCodeBase = "gallery/"; iu.javaAppletCached = true; iu.javaAppletVersion = "5.0.15.0"; iu.showNonemptyResponse = "off"; iu.addParam("RedirectUrl", "photo-album-edit.aspx"); //Configure appearance and behaviour. iu.addParam("PaneLayout", "TwoPanes"); iu.addParam("ShowDebugWindow", "true"); iu.addParam("ShowDescriptions", "false"); iu.addParam("BackgroundColor", "#ffffff"); //Configure Image Uploader to rotate photos automatically //according to the orientation stored in EXIF metadata. iu.addParam("AllowAutoRotate", "true"); //Append the form with total file size to the upload. iu.addParam("AdditionalFormName", "Form1"); //Configure file mask to upload JPEG images only. iu.addParam("FileMask", ".jpeg;.jpg;.jpe;.gif"); //Set image size restrictions. //iu.addParam("MinImageWidth", "360"); //iu.addParam("MinImageHeight", "360"); //Exclude the source file from upload because only //resized versions of the photo will be sent. iu.addParam("UploadSourceFile", "false"); //Configure URL files are uploaded to. iu.addParam("Action", "photo-upload.aspx"); if ("Java" == iu.getControlType()) { iu.addEventListener("BeforeUpload", "ImageUploader_BeforeUpload"); } //Add event handlers. iu.addEventListener("UploadFileCountChange", "ImageUploader_UploadFileCountChange"); iu.addEventListener("Progress", "ImageUploader_Progress"); //Tell Image Uploader writer object to generate all necessary HTML code to embed //Image Uploader to the page. iu.writeHtml(); </script> Edited by user Friday, December 18, 2009 7:51:01 PM(UTC) \| Reason: Not specified

Eugene Kosmin User Profile View All Posts by User View Thanks		#10 Posted : Wednesday, May 7, 2008 11:28:11 AM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 9/19/2006(UTC) Posts: 505 Was thanked: 41 time(s) in 41 post(s)		Hi Andrew, I have tested your code with AddCookieSnippet from my previous post and it worked fine both in IE and Firefox. What is the version of ASP.NET on your web server?
		Best regards, Eugene Kosmin The Aurigma Development Team

andrewh User Profile View All Posts by User View Thanks		#11 Posted : Thursday, May 8, 2008 5:27:41 AM(UTC)
Rank: Newbie Groups: Member Joined: 5/6/2008(UTC) Posts: 4		Hi - does the line of code: getImageUploader("ImageUploader").AddCookie('<%=FormsAuthentication.FormsCookieName %>=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>;'); go in EXACTLY like this - or do I need to make some changes - this is where the errors are coming from. I am using vs2005 on .net2.0. Thanks for the help

Eugene Kosmin User Profile View All Posts by User View Thanks		#12 Posted : Sunday, May 11, 2008 4:19:25 PM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 9/19/2006(UTC) Posts: 505 Was thanked: 41 time(s) in 41 post(s)		Hi Andrew, I have copied this string from your post and it was exactly the same. Perhaps you didn’t set the page language on the top of your page, the default is Visual Basic. Please make sure that you set language = “C#”: Code: `<%@ Page Language="C#" AutoEventWireup="true" Codebehind="Default.aspx.cs" Inherits="AuthTestApp2.Default" Title="Test Page" %>`
		Best regards, Eugene Kosmin The Aurigma Development Team

andrewh User Profile View All Posts by User View Thanks		#13 Posted : Monday, May 12, 2008 5:57:03 AM(UTC)
Rank: Newbie Groups: Member Joined: 5/6/2008(UTC) Posts: 4		Hi - thanks - that fixed the compilation error!! However, I am still getting the error "The server attempted to redirect you but server redirects are not supported". Your code snippet worked fine but it doesn't have the equivalent of my: iu.addParam("RedirectUrl", "photo-album-edit.aspx"); line in which I guess is what is causing the problem?? Everything works fine in IE, just firefox 2.0.0.14 Any further help would be greatly appreciated. regards Andrew

Eugene Kosmin User Profile View All Posts by User View Thanks		#14 Posted : Monday, May 12, 2008 12:48:47 PM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 9/19/2006(UTC) Posts: 505 Was thanked: 41 time(s) in 41 post(s)		This error means that your UPLOAD SCRIPT tries to redirect upload POST to another URL. I suspect that if you remove your RedirectUrl – the problem will remain. RedirectUrl affects only client page redirect. Please check your upload script for redirect actions.
		Best regards, Eugene Kosmin The Aurigma Development Team

andrewh User Profile View All Posts by User View Thanks		#15 Posted : Monday, May 12, 2008 5:46:20 PM(UTC)
Rank: Newbie Groups: Member Joined: 5/6/2008(UTC) Posts: 4		Yes it does do a redirect - is this not possible anymore? Currently in ie, the users go from a management page to a photo selection page, press upload then go back to the management page automatically (through a response.redirect on the upload page) - is this not possible now?

Eugene Kosmin User Profile View All Posts by User View Thanks		#16 Posted : Tuesday, May 13, 2008 1:42:32 PM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 9/19/2006(UTC) Posts: 505 Was thanked: 41 time(s) in 41 post(s)		Redirect is still possible. The behavior you described should work correctly. But you can’t do redirect from the script which handles your upload data. URL to this script is specified in Action property. For example, you can’t do such thing in upload.aspx: Code: `<script runat="server"> void Page_Load() { Response.Redirect("RedirectAction.aspx"); } </script>`
		Best regards, Eugene Kosmin The Aurigma Development Team

grouphutDev User Profile View All Posts by User View Thanks		#17 Posted : Sunday, June 22, 2008 6:47:59 PM(UTC)
Rank: Newbie Groups: Member Joined: 6/12/2008(UTC) Posts: 8		Hi, i am using ASP.NET 2.0 and using windows authentication not the FormsAuthentication. Please suggest what string should i use in place of function ImageUploader1_BeforeUpload() { getImageUploader("ImageUploader1").AddCookie('<%=FormsAuthentication.FormsCookieName %>=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>'); } As using the above code i get an error : "Object reference not set to an instance of an object." Please suggest Thanks

Eugene Kosmin User Profile View All Posts by User View Thanks		#18 Posted : Sunday, June 22, 2008 7:58:16 PM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 9/19/2006(UTC) Posts: 505 Was thanked: 41 time(s) in 41 post(s)		Hi, Windows authentication does not use cookies, try to remove this string.
		Best regards, Eugene Kosmin The Aurigma Development Team

grouphutDev User Profile View All Posts by User View Thanks		#19 Posted : Sunday, June 22, 2008 10:32:08 PM(UTC)
Rank: Newbie Groups: Member Joined: 6/12/2008(UTC) Posts: 8		Hi Eugene, I am using Image Uploader 5.1.10.0 Dual version but it does not work on Mozilla/Firefox It shows the error messsage : "The server attempted to redirect you, but server redirects are not supported". Please suggest what string should i use in place of that function ImageUploader1_BeforeUpload() { getImageUploader("ImageUploader1").AddCookie('<%=FormsAuthentication.FormsCookieName %>=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>'); } as the <authentication mode="Windows" /> in my project. Thanks

Dmitry User Profile View All Posts by User View Thanks		#20 Posted : Monday, June 23, 2008 8:19:24 PM(UTC)
Rank: Advanced Member Groups: Member, Administration, Moderator Joined: 8/3/2003(UTC) Posts: 1,070 Thanks: 1 times Was thanked: 12 time(s) in 12 post(s)		grouphutDev wrote: I am using Image Uploader 5.1.10.0 Dual version but it does not work on Mozilla/Firefox Does Firefox and Image Uploader prompt for user/password?
		Sincerely yours, Dmitry Sevostyanov Follow Aurigma on Twitter!

Users browsing this topic

3 Pages12 3 >

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.