I''m constructing a site which requires authenticated uploads. I''ve found the swfupload tool, which works really well with with attachment_fu. However, I''m having a heck of a time getting the uploads to work over an authenticated session. I''ve implemented this code (http://inquirylabs.com/downloads/ get_session_id_from_query_string_on_post.rb) via environment.rb, but I can''t get it work work properly, since I get HTTP 500 errors when I try an post to a url that has embedded URL parameters. What I''m trying to do is this: window.onload = function () { swfu = new SWFUpload({ upload_url : ''<%= swfupload_photos_path %>?_acp_session=<%session.session_id %>'', ... when I try to upload the request, I see a POST in the rails log as follows: 127.0.0.1 - - [19/Jan/2008:12:41:57 Mountain Standard Time] "POST / photos/swfupload?_acp_session=BAh7CToMdXNlcl9pZGkGOg... so the session id is being inserted into the string. However, a HTTP 500 is generated before the CGI::Session object is every instantiated, and I don''t know why - there are no error messages in the log that indicate where the error is occurring. I''ve tried to escape the query string, and while that seems to work ''better'' (I get the 500 later in the request), it still doesn''t work. Ideally, a pointer to some demo code that implements swfUpload and session id passing would be great. I''m on the latest released version of Rails: 2.0.2. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Bit of an update - I''ve changed the swfUpload javascript object to look like this now: window.onload = function () { swfu = new SWFUpload({ upload_url : ''<%= swfupload_photos_path %>'', post_params: { ''_acp_session'' : ''<%= session.session_id %>'' }, ... which is much cleaner. However, it still doesn''t work :-( The issue seems to be that CGI::Session doesn''t seem to be accepting the session id, since my before filter (which looks for a login id, indicating that the user has authenticated) comes up empty. I''m currently digging into CGI::Session, but as of yet, no joy. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Peter De Berdt
2008-Jan-20 10:46 UTC
Re: swfupload, and uploading via an authenticated session.
On 19 Jan 2008, at 21:50, KenM wrote:> Bit of an update - I''ve changed the swfUpload javascript object to > look like this now: > > window.onload = function () { > swfu = new SWFUpload({ > upload_url : ''<%= swfupload_photos_path %>'', > > post_params: { > ''_acp_session'' : ''<%= session.session_id %>'' > }, > ... > > which is much cleaner. However, it still doesn''t work :-( > > The issue seems to be that CGI::Session doesn''t seem to be accepting > the session id, since my before filter (which looks for a login id, > indicating that the user has authenticated) comes up empty. I''m > currently digging into CGI::Session, but as of yet, no joy.IIRC, Rails 2 introduced security measures that will prevent sessions to be passed as parameters from now on. Now, the problem is that Flash currently offers no way of passing cookies the way Rails expects it to. I also like using SWFUpload in my projects, so I''m really interested in a solution that doesn''t involve exposing the swfupload method as non-authenticated or using some kind of alternative authentication token like method (e.g. use a hashed value as a parameter and compare it to a hashed value in the users table). Best regards Peter De Berdt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I was wondering if there was something in Rails 2 that was causing my difficulties....I''m not going to give up yet, but I think for the time being a token-based solution will suffice - not entirely secure, but ''good enough'' for what I''m doing.... On Jan 20, 3:46 am, Peter De Berdt <peter.de.be...-LPO8gxj9N8aZIoH1IeqzKA@public.gmane.org> wrote:> On 19 Jan 2008, at 21:50, KenM wrote: > > > > > Bit of an update - I''ve changed the swfUpload javascript object to > > look like this now: > > > window.onload = function () { > > swfu = new SWFUpload({ > > upload_url : ''<%= swfupload_photos_path %>'', > > > post_params: { > > ''_acp_session'' : ''<%= session.session_id %>'' > > }, > > ... > > > which is much cleaner. However, it still doesn''t work :-( > > > The issue seems to be that CGI::Session doesn''t seem to be accepting > > the session id, since my before filter (which looks for a login id, > > indicating that the user has authenticated) comes up empty. I''m > > currently digging into CGI::Session, but as of yet, no joy. > > IIRC, Rails 2 introduced security measures that will prevent sessions > to be passed as parameters from now on. Now, the problem is that > Flash currently offers no way of passing cookies the way Rails > expects it to. > > I also like using SWFUpload in my projects, so I''m really interested > in a solution that doesn''t involve exposing the swfupload method as > non-authenticated or using some kind of alternative authentication > token like method (e.g. use a hashed value as a parameter and compare > it to a hashed value in the users table). > > Best regards > > Peter De Berdt--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Eider Oliveira
2008-Jan-21 13:49 UTC
Re: swfupload, and uploading via an authenticated session.
We faced the same problem after upgrading to rails 2.0, and we have it solved in the following way. First of all, we set the session option to allow only the upload action to accept the session id outside a cookie (in post or get format): session :cookie_only => false, :only => %w(attachment) then we create a session_patch.rb in config/initializers, with the following ocntent: class CGI::Session alias original_initialize initialize # The following code is a work-around for the Flash 8 bug that prevents our multiple file uploader # from sending the _session_id. Here, we hack the Session#initialize method and force the session_id # to load from the query string via the request uri. (Tested on Lighttpd, Mongrel, Apache) def initialize(cgiwrapper, option = {}) #RAILS_DEFAULT_LOGGER.debug "#{__FILE__}:#{__LINE__} Session options #{ option.inspect} *********************" unless option[''cookie_only''] #RAILS_DEFAULT_LOGGER.debug "#{__FILE__}:#{__LINE__} Initializing session object #{cgiwrapper.env_table[''RAW_POST_DATA'']} *********************" session_key = option[''session_key''] || ''_session_id'' query_string = if (rpd = cgiwrapper.env_table[''RAW_POST_DATA'']) and rpd != '''' rpd elsif (qs = cgiwrapper.env_table[''QUERY_STRING'']) and qs != '''' qs elsif (ru = cgiwrapper.env_table[''REQUEST_URI''][0..-1]).include?(''?'') ru[(ru.index(''?'') + 1)..-1] end if query_string and query_string.include?(session_key) option[''session_id''] query_string.scan(/#{session_key}=(.*?)(&.*?)*$/).flatten.first end end original_initialize(cgiwrapper,option) end end On Jan 20, 2008 6:53 PM, KenM <Andawyr-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > I was wondering if there was something in Rails 2 that was causing my > difficulties....I''m not going to give up yet, but I think for the time > being a token-based solution will suffice - not entirely secure, but > ''good enough'' for what I''m doing.... > > On Jan 20, 3:46 am, Peter De Berdt <peter.de.be...-LPO8gxj9N8aZIoH1IeqzKA@public.gmane.org> wrote: > > On 19 Jan 2008, at 21:50, KenM wrote: > > > > > > > > > Bit of an update - I''ve changed the swfUpload javascript object to > > > look like this now: > > > > > window.onload = function () { > > > swfu = new SWFUpload({ > > > upload_url : ''<%= swfupload_photos_path %>'', > > > > > post_params: { > > > ''_acp_session'' : ''<%= session.session_id %>'' > > > }, > > > ... > > > > > which is much cleaner. However, it still doesn''t work :-( > > > > > The issue seems to be that CGI::Session doesn''t seem to be accepting > > > the session id, since my before filter (which looks for a login id, > > > indicating that the user has authenticated) comes up empty. I''m > > > currently digging into CGI::Session, but as of yet, no joy. > > > > IIRC, Rails 2 introduced security measures that will prevent sessions > > to be passed as parameters from now on. Now, the problem is that > > Flash currently offers no way of passing cookies the way Rails > > expects it to. > > > > I also like using SWFUpload in my projects, so I''m really interested > > in a solution that doesn''t involve exposing the swfupload method as > > non-authenticated or using some kind of alternative authentication > > token like method (e.g. use a hashed value as a parameter and compare > > it to a hashed value in the users table). > > > > Best regards > > > > Peter De Berdt > > >-- Eider Oliveira Site: http://eider.eti.br Blog: http://eider.eti.br/Home/Blog/Blog.html "If I had more time, I''d have written you a shorter letter." Pascal --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 21 Sty, 14:49, "Eider Oliveira" <eider.olive...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> We faced the same problem after upgrading to rails 2.0, and we have it > solved in the following way. > First of all, we set the session option to allow only the upload action to > accept the session id outside a cookie (in post or get format): > > session :cookie_only => false, :only => %w(attachment) > > then we create a session_patch.rb in config/initializers, with the following > ocntent: > > class CGI::Session > alias original_initialize initialize > > # The following code is a work-around for the Flash 8 bug that prevents > our multiple file uploader > # from sending the _session_id. Here, we hack the Session#initialize > method and force the session_id > # to load from the query string via the request uri. (Tested on Lighttpd, > Mongrel, Apache) > def initialize(cgiwrapper, option = {}) > #RAILS_DEFAULT_LOGGER.debug "#{__FILE__}:#{__LINE__} Session options #{ > option.inspect} *********************" > unless option[''cookie_only''] > #RAILS_DEFAULT_LOGGER.debug "#{__FILE__}:#{__LINE__} Initializing > session object #{cgiwrapper.env_table[''RAW_POST_DATA'']} > *********************" > session_key = option[''session_key''] || ''_session_id'' > > query_string = if (rpd = cgiwrapper.env_table[''RAW_POST_DATA'']) and > rpd != '''' > rpd > elsif (qs = cgiwrapper.env_table[''QUERY_STRING'']) and qs != '''' > qs > elsif (ru = cgiwrapper.env_table[''REQUEST_URI''][0..-1]).include?(''?'') > ru[(ru.index(''?'') + 1)..-1] > end > if query_string and query_string.include?(session_key) > option[''session_id''] > query_string.scan(/#{session_key}=(.*?)(&.*?)*$/).flatten.first > end > end > > original_initialize(cgiwrapper,option) > end > end > > On Jan 20, 2008 6:53 PM, KenM <Anda...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > > > I was wondering if there was something in Rails 2 that was causing my > > difficulties....I''m not going to give up yet, but I think for the time > > being a token-based solution will suffice - not entirely secure, but > > ''good enough'' for what I''m doing.... > > > On Jan 20, 3:46 am, Peter De Berdt <peter.de.be...-LPO8gxj9N8aZIoH1IeqzKA@public.gmane.org> wrote: > > > On 19 Jan 2008, at 21:50, KenM wrote: > > > > > Bit of an update - I''ve changed the swfUpload javascript object to > > > > look like this now: > > > > > window.onload = function () { > > > > swfu = new SWFUpload({ > > > > upload_url : ''<%= swfupload_photos_path %>'', > > > > > post_params: { > > > > ''_acp_session'' : ''<%= session.session_id %>'' > > > > }, > > > > ... > > > > > which is much cleaner. However, it still doesn''t work :-( > > > > > The issue seems to be that CGI::Session doesn''t seem to be accepting > > > > the session id, since my before filter (which looks for a login id, > > > > indicating that the user has authenticated) comes up empty. I''m > > > > currently digging into CGI::Session, but as of yet, no joy. > > > > IIRC, Rails 2 introduced security measures that will prevent sessions > > > to be passed as parameters from now on. Now, the problem is that > > > Flash currently offers no way of passing cookies the way Rails > > > expects it to. > > > > I also like using SWFUpload in my projects, so I''m really interested > > > in a solution that doesn''t involve exposing the swfupload method as > > > non-authenticated or using some kind of alternative authentication > > > token like method (e.g. use a hashed value as a parameter and compare > > > it to a hashed value in the users table). > > > > Best regards > > > > Peter De Berdt > > -- > Eider Oliveira > > Site:http://eider.eti.br > Blog:http://eider.eti.br/Home/Blog/Blog.html > > "If I had more time, I''d have written you a shorter letter." PascalHi, For me this solution works but only with Internet Explorer 7. I have not tried the IE6 but anyway it does not work with Firefox. Has anyone invented some fix for that. Regards, Lukasz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ho-sheng Hsiao
2008-Oct-05 01:21 UTC
Re: swfupload, and uploading via an authenticated session.
> Hi, > > For me this solution works but only with Internet Explorer 7. I have > not tried the IE6 but anyway it does not work with Firefox. > Has anyone invented some fix for that. > > Regards, > LukaszI got it working on Firefox 3 using Rails 2.1. I wrote up about it on my blog: http://blog.isshen.com/2008/10/5/making-swfupload-and-rails-2-1-sessions-work-together I don''t know why it doesn''t work for you. You might be using cookie session store and passing the session_id in a way that screws up the Javascript. Anyways, the PHP folks have solved it a different way, by writing a separate SWF file, pulls the session cookie in from the browser, and sets a Flash cookie. Ho-Sheng Hsiao Isshen Solutions, Inc. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Peter De Berdt
2008-Oct-06 07:59 UTC
Re: swfupload, and uploading via an authenticated session.
On 05 Oct 2008, at 03:21, Ho-sheng Hsiao wrote:>> For me this solution works but only with Internet Explorer 7. I have >> not tried the IE6 but anyway it does not work with Firefox. >> Has anyone invented some fix for that. >> >> Regards, >> Lukasz > > I got it working on Firefox 3 using Rails 2.1. I wrote up about it > on my > blog: > http://blog.isshen.com/2008/10/5/making-swfupload-and-rails-2-1-sessions-work-together > > I don''t know why it doesn''t work for you. You might be using cookie > session store and passing the session_id in a way that screws up the > Javascript. > > Anyways, the PHP folks have solved it a different way, by writing a > separate SWF file, pulls the session cookie in from the browser, and > sets a Flash cookie.Works perfectly for me on all browsers (I use the cookie store session, but Jörg got it to work with the activerecord store too): http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/45f70281a5992fa7 Best regards Peter De Berdt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---