Setting PHP session variables using Flash Actionscript

Question

I have a simple PHP upload script that is called from my Flash App. I am sure it makes the call because it actually uploads the file!

session_start();

$default_path = 'files/';

$target_path = ($_POST['dir']) ? $_POST['dir'] : $default_path;

if(!file_exists($target_path)) mkdir($target_path, 0777, true);

$destination = $target_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );

$file_name =  rand(1,9999).$_FILES[ 'Filedata' ][ 'name' ];

if(move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)){

$_SESSION['path'] = 'flashuploader_online/upload/'.$destination;

}

However, I try to use the session variable "path" in another script but it gives me an empty value! Yes, I have made sure to use session_start.

Am I missing something?

Update

At least now I know what the problem is! But I am not sure how to solve it without it getting messy to pass across session variables. Any ideas?

Answer 1

You are going to have to persist the session_id across all requests by passing it as a variable. I promise it won't get too messy! There are a couple changes you will need to make to the page that displays the flash as well as the script it posts to. You will also need to make a slight change to the Flash application itself, so that it can include the session ID when it uploads the file to the server.

First, you will want to provide flash with the session ID by including it with FlashVars. You're going to need the page that is displaying the flash to be preprocessed with PHP, or it will not be possible to persist a session. Make sure you call session_start() in the page that outputs the Flash. You'll end up with something like this:

<object classid="clsid:(blah)" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,28,0" width="800" height="800" id="ZoomifyHotspotViewer">
  <param name="flashvars" value="phpsessionid=<? print session_id(); ?>">
  <param name="src" value="YourSWF.swf">
  <embed flashvars="phpsessionid=<? print session_id(); ?>" src="YourSWF.swf" pluginspage="http://www.adobe.com/go/getflashplayer" type="application/x-shockwave-flash" width="800" height="800" name="YourSWF"></embed>
</object>

This part in particular is what needs to be added, in both the param and embed tags:

phpsessionid=<? print session_id(); ?>

Then, in your Flash app when you make the request, you will now have access to the session id in the variable 'phpsessionid'. You need to include the value in the POST variable named PHPSESSID (all caps) - include it however you are including your other variables such as the 'dir' variable you make use of.

Including that variable will ensure that when you call session_start() on the next page, the session will be restored instead of a new session being started. There are a couple configuration cases where this doesn't happen automatically. If that turns out to be the case for you (i.e. the session id is still different on the next page), you need to do the following in the page that processes the upload:

session_id($_POST['PHPSESSID']);
session_start();

This will manually force PHP to renew the saved session with the specified ID. This shouldn't even be an issue you have to deal with, but if it is you may have to do something similar on the next page the user continues to as well, or add a general case to all pages:

if (isset($_REQUEST['PHPSESSID'])) {
  session_id($_REQUEST['PHPSESSID']);
}
session_start();

Be sure that if you do end up needing to call session_id() in this way as a setter, that you do so before calling session_start().