Does Flash Player transmit session cookies automatically?

Question

There's no access to the HTTP cookies from within a Flash movie, but I now have repeatedly read that Flash Player is supposed to take care of session cookies automatically. I could, however, not find any documentation about this, and it sure didn't work with my Flex client running against a Struts backend using the default JSESSIONID cookie.

So, does Flash Player handle session cookies or doesn't it, and if it does, how do I set it up?

Answer 1

The HTTP requests from Flash are sent through the browser - so yeah, the cookies are transmitted automatically. In fact, I am currently doing a site that handles logging-in (and hence setting the session cookie) in an HTML page and then forwards user to a Flash only page (). The flash page is sending a lot of requests to the server using URLLoader & URLRequest and I am able to verify the session cookie for each of those.

That said, you can access HTTP cookies from Flash using ExternalInterface.call(). Make sure allowScriptAccess in the SWF embedding code is set to appropriate value.

var cookies:String = ExternalInterface.call("function()
    {
        return document.cookie;
    }()");

---

Update: I haven't tried that (login in flash), but you might be right - Flash might be ignoring the Set-Cookie (or all) response headers. And unfortunately Flash does not let us access response headers either. But since it is possible to access the response headers in an AJAX response (using xhr.getResponseHeader) you can use ExternalInterface and outsource the login part to AJAX. Grab the headers in the AJAX response and set the cookie using javascript (according to this SO thread, browser will do that automatically). Once set, subsequent requests sent from flash would include the session cookie in them.

Use the ExternalInterface.addCallback method to register a flash method to be callable from javascript.

Answer 2

Flash Player usually does its networking through the browser, in which case setting and getting cookies is entirely handled by the browser.

If a site sends Set-Cookie, that should work.

You can't access response headers from within Flash content, just as you can't access them from JavaScript; there are fundamental security reasons why this is so. However, it is possible that someday Flash Player might allow you to read cookies through a cookie API, just as JavaScript does. In the meantime, ExternalInterface will let you call over to JS to read cookies.

There is one case where Flash Player does not send cookies, or may even send the wrong cookies. That is when you are using FileReference.upload(). This is a known Flash Player bug, although a very difficult one for Adobe to solve, because of NPAPI dependencies.

BTW, JSESSIONID is considered insecure at this point. It is vulnerable to CSRF attacks because the browser will blindly send it, no matter whose document is making the request. Most modern login systems use a hidden form field or other means of keeping the login nonce accessible only to pages from within your domain.

Wish I could tell you why your particular app isn't sending cookies. Have you tried comparing it against an all-HTML version? Have you spied on both network streams with a packet sniffer?