InvalidToken for a Flash upload

Hi,

I am developping a small Flash app to upload multiple files with a progress bar in a Rails site.

Rails handles the server side. I have a controller that displays the view containing the flash, and it also provides a security token to the flash. The Flash gets it and send it back to the server in the HTTP request that contains the file to upload.

Big surprise : it works perfectly in Internet Explorer... but not in Firefox nor in Opera. :S

For Firefox and Opera, I get a ActionController::InvalidAuthenticityToken in the console.

I display the token in text in the console, in the view html and in the flash, and the token doesn't seem to be altered (though I had to CGI.escape the token to get it right in Flash, and escape it again in Flash to send it back, just because of the "+" that the token can contains).

This is what the console shows for Firefox :

Token from controller = ayZ/bR7r2W3qg61NIspeOsU0N/VBqHqjWamkRtQG+s4=   ←[4;36;1mSQL (0.0ms)←[0m ←[0;1mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#form (for 127.0.0.1 at 2010-08-01 13:12:25) [GET] Rendering upload/form Completed in 11ms (View: 9, DB: 0) | 200 OK [http://localhost/\]   ←[4;35;1mSQL (0.0ms)←[0m ←[0mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#index (for 127.0.0.1 at 2010-08-01 13:12:29) [POST]   Parameters: {"Filename"=>"Screenshot-14.jpg", "authenticity_token"=>"ayZ/bR7r2 W3qg61NIspeOsU0N/VBqHqjWamkRtQG+s4=", "Upload"=>"Submit Query", "Filedata"=>#<File:C:/Users/Lily/AppData/Local/Temp/RackMultipart.4856.0>}

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticit yToken):

And now for Internet Explorer :

Token from controller = i1irXTa0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg= g=&=]   ←[4;35;1mSQL (0.0ms)←[0m ←[0mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#form (for 127.0.0.1 at 2010-08-01 13:15:02) [GET] Rendering upload/form Completed in 4ms (View: 2, DB: 0) | 200 OK [http://localhost/\] ost/]   ←[4;36;1mSQL (0.0ms)←[0m ←[0;1mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#index (for 127.0.0.1 at 2010-08-01 13:15:19) [POST]   Parameters: {"Filename"=>"MobilePhone_Icon.jpg", "authenticity_token"=>"i1irXT a0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg=", "Upload"=>"Submit Query", "Filedata"=>#<File:C:/Users/Lily/AppData/Local/Temp/RackMultipart.4 856.2>} Completed in 8ms (View: 1, DB: 0) | 200 OK [http://localhost/upload?authenticity _token=i1irXTa0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg=]

Could someone help me about this ? I searched quite a while on the net for an explaination; I found some people fix for Swfupload and Uploadify/Paperclip but couldn't get a solution out of it.

(I'm using Rails 2.3.5 and Ruby 1.8.6 on this project, the Flash application is in ActionScript 3 compiled for the player 10)

Lily wrote:

Hi,

I am developping a small Flash app to upload multiple files with a progress bar in a Rails site.

Rails handles the server side. I have a controller that displays the view containing the flash, and it also provides a security token to the flash. The Flash gets it and send it back to the server in the HTTP request that contains the file to upload.

Big surprise : it works perfectly in Internet Explorer... but not in Firefox nor in Opera. :S

For Firefox and Opera, I get a ActionController::InvalidAuthenticityToken in the console.

I display the token in text in the console, in the view html and in the flash, and the token doesn't seem to be altered (though I had to CGI.escape the token to get it right in Flash, and escape it again in Flash to send it back, just because of the "+" that the token can contains).

This is what the console shows for Firefox :

Token from controller = ayZ/bR7r2W3qg61NIspeOsU0N/VBqHqjWamkRtQG+s4=   ←[4;36;1mSQL (0.0ms)←[0m ←[0;1mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#form (for 127.0.0.1 at 2010-08-01 13:12:25) [GET] Rendering upload/form Completed in 11ms (View: 9, DB: 0) | 200 OK [http://localhost/\]   ←[4;35;1mSQL (0.0ms)←[0m ←[0mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#index (for 127.0.0.1 at 2010-08-01 13:12:29) [POST]   Parameters: {"Filename"=>"Screenshot-14.jpg", "authenticity_token"=>"ayZ/bR7r2 W3qg61NIspeOsU0N/VBqHqjWamkRtQG+s4=", "Upload"=>"Submit Query", "Filedata"=>#<File:C:/Users/Lily/AppData/Local/Temp/RackMultipart.4856.0>}

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticit yToken):

And now for Internet Explorer :

Token from controller = i1irXTa0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg= g=&=]   ←[4;35;1mSQL (0.0ms)←[0m ←[0mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#form (for 127.0.0.1 at 2010-08-01 13:15:02) [GET] Rendering upload/form Completed in 4ms (View: 2, DB: 0) | 200 OK [http://localhost/\] ost/]   ←[4;36;1mSQL (0.0ms)←[0m ←[0;1mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#index (for 127.0.0.1 at 2010-08-01 13:15:19) [POST]   Parameters: {"Filename"=>"MobilePhone_Icon.jpg", "authenticity_token"=>"i1irXT a0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg=", "Upload"=>"Submit Query", "Filedata"=>#<File:C:/Users/Lily/AppData/Local/Temp/RackMultipart.4 856.2>} Completed in 8ms (View: 1, DB: 0) | 200 OK [http://localhost/upload?authenticity _token=i1irXTa0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg=]

Could someone help me about this ? I searched quite a while on the net for an explaination; I found some people fix for Swfupload and Uploadify/Paperclip but couldn't get a solution out of it.

(I'm using Rails 2.3.5 and Ruby 1.8.6 on this project, the Flash application is in ActionScript 3 compiled for the player 10)

Still searching for a solution, if anyone could help. I really searched the web and found some tips but I still couldn't find out a solution. The upload stills work with IE and not with other browser. I read somewhere that it could be a problem of session id and tried this fix that supposed to override the middleware. But I don't think I understand what my Flash should eventually send to work...

require 'rack/utils'

class FlashSessionCookieMiddleware   def initialize(app, session_key = '_session_id')     @app = app     @session_key = session_key   end

  def call(env)     if env['HTTP_USER_AGENT'] =~ /^(Adobe|Shockwave) Flash/       puts "***** yeaaahh I'm in the condition !"       puts "***** Session key is : " + @session_key.to_s + " and @app : " + @app.to_s       params = ::Rack::Utils.parse_query(env['QUERY_STRING'])       env['HTTP_COOKIE'] = [ @session_key, params['session_key'] ].join('=').freeze unless params['session_key'].nil?     end     @app.call(env)   end end

By the way, this fix doesn't change that IE works anyway, and not FF nor Opera...