$_GET vs. $_COOKIE in authenticate.php
193 views
Skip to first unread message
Stefan Wild
Jul 23, 2012, 10:39:39 AM7/23/12
to resour...@googlegroups.com
Recently a client has started having problems with the Flash uploader on Firefox under Windows that I can reproduce on my machine. After much digging and debugging I found out that Flash apparently sends outdated user session cookies out of the LSO, which can be confirmed by deleting the Internet Explorer's cookies (which deletes the LSOs that Flash uses in all browsers). For similar problems (i.e. Flash not sending any cookies at all) there has already been a fix that sends the session hash via GET var in the POST request for the upload. However, in the described scenario, Flash does send a cookie and in authenticate.php that is the first condition, so it is being used regardless of the GET var. I believe this should be reversed – if there is a session hash in the GET vars that should supersede any cookies. I don't see any (further) security risk in that since anybody who wants to send a forged session hash could always just delete the cookie before sending it through a GET request and thus have the same end result.
Any other thoughts on this? Otherwise I'd like to commit that change, soon.
Stefan Wild
Jul 31, 2012, 1:55:54 PM7/31/12
to resour...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages