InvalidToken for a Flash upload

Hi,

I am developping a small Flash app to upload multiple files with a
progress bar in a Rails site.

Rails handles the server side. I have a controller that displays the
view containing the flash, and it also provides a security token to the
flash. The Flash gets it and send it back to the server in the HTTP
request that contains the file to upload.

Big surprise : it works perfectly in Internet Explorer... but not in
Firefox nor in Opera. :S

For Firefox and Opera, I get a
ActionController::InvalidAuthenticityToken in the console.

I display the token in text in the console, in the view html and in the
flash, and the token doesn't seem to be altered (though I had to
CGI.escape the token to get it right in Flash, and escape it again in
Flash to send it back, just because of the "+" that the token can
contains).

This is what the console shows for Firefox :

Token from controller = ayZ/bR7r2W3qg61NIspeOsU0N/VBqHqjWamkRtQG+s4=
  ←[4;36;1mSQL (0.0ms)←[0m ←[0;1mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#form (for 127.0.0.1 at 2010-08-01 13:12:25)
[GET]
Rendering upload/form
Completed in 11ms (View: 9, DB: 0) | 200 OK [http://localhost/]
  ←[4;35;1mSQL (0.0ms)←[0m ←[0mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#index (for 127.0.0.1 at 2010-08-01 13:12:29)
[POST]
  Parameters: {"Filename"=>"Screenshot-14.jpg",
"authenticity_token"=>"ayZ/bR7r2
W3qg61NIspeOsU0N/VBqHqjWamkRtQG+s4=", "Upload"=>"Submit Query",
"Filedata"=>#<File:C:/Users/Lily/AppData/Local/Temp/RackMultipart.4856.0>}

ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticit
yToken):

And now for Internet Explorer :

Token from controller = i1irXTa0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg=
g=&=]
  ←[4;35;1mSQL (0.0ms)←[0m ←[0mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#form (for 127.0.0.1 at 2010-08-01 13:15:02)
[GET]
Rendering upload/form
Completed in 4ms (View: 2, DB: 0) | 200 OK [http://localhost/]
ost/]
  ←[4;36;1mSQL (0.0ms)←[0m ←[0;1mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#index (for 127.0.0.1 at 2010-08-01 13:15:19)
[POST]
  Parameters: {"Filename"=>"MobilePhone_Icon.jpg",
"authenticity_token"=>"i1irXT
a0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg=", "Upload"=>"Submit Query",
"Filedata"=>#<File:C:/Users/Lily/AppData/Local/Temp/RackMultipart.4
856.2>}
Completed in 8ms (View: 1, DB: 0) | 200 OK
[http://localhost/upload?authenticity
_token=i1irXTa0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg=]

Could someone help me about this ? I searched quite a while on the net
for an explaination; I found some people fix for Swfupload and
Uploadify/Paperclip but couldn't get a solution out of it.

(I'm using Rails 2.3.5 and Ruby 1.8.6 on this project, the Flash
application is in ActionScript 3 compiled for the player 10)

Lily :slight_smile: wrote:

Hi,

I am developping a small Flash app to upload multiple files with a
progress bar in a Rails site.

Rails handles the server side. I have a controller that displays the
view containing the flash, and it also provides a security token to the
flash. The Flash gets it and send it back to the server in the HTTP
request that contains the file to upload.

Big surprise : it works perfectly in Internet Explorer... but not in
Firefox nor in Opera. :S

For Firefox and Opera, I get a
ActionController::InvalidAuthenticityToken in the console.

I display the token in text in the console, in the view html and in the
flash, and the token doesn't seem to be altered (though I had to
CGI.escape the token to get it right in Flash, and escape it again in
Flash to send it back, just because of the "+" that the token can
contains).

This is what the console shows for Firefox :

Token from controller = ayZ/bR7r2W3qg61NIspeOsU0N/VBqHqjWamkRtQG+s4=
  ←[4;36;1mSQL (0.0ms)←[0m ←[0;1mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#form (for 127.0.0.1 at 2010-08-01 13:12:25)
[GET]
Rendering upload/form
Completed in 11ms (View: 9, DB: 0) | 200 OK [http://localhost/]
  ←[4;35;1mSQL (0.0ms)←[0m ←[0mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#index (for 127.0.0.1 at 2010-08-01 13:12:29)
[POST]
  Parameters: {"Filename"=>"Screenshot-14.jpg",
"authenticity_token"=>"ayZ/bR7r2
W3qg61NIspeOsU0N/VBqHqjWamkRtQG+s4=", "Upload"=>"Submit Query",
"Filedata"=>#<File:C:/Users/Lily/AppData/Local/Temp/RackMultipart.4856.0>}

ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticit
yToken):

And now for Internet Explorer :

Token from controller = i1irXTa0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg=
g=&=]
  ←[4;35;1mSQL (0.0ms)←[0m ←[0mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#form (for 127.0.0.1 at 2010-08-01 13:15:02)
[GET]
Rendering upload/form
Completed in 4ms (View: 2, DB: 0) | 200 OK [http://localhost/]
ost/]
  ←[4;36;1mSQL (0.0ms)←[0m ←[0;1mSET SQL_AUTO_IS_NULL=0←[0m

Processing UploadController#index (for 127.0.0.1 at 2010-08-01 13:15:19)
[POST]
  Parameters: {"Filename"=>"MobilePhone_Icon.jpg",
"authenticity_token"=>"i1irXT
a0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg=", "Upload"=>"Submit Query",
"Filedata"=>#<File:C:/Users/Lily/AppData/Local/Temp/RackMultipart.4
856.2>}
Completed in 8ms (View: 1, DB: 0) | 200 OK
[http://localhost/upload?authenticity
_token=i1irXTa0JqlbBNTlfcRwFYdQ24L8yhTBQFWESSrSEZg=]

Could someone help me about this ? I searched quite a while on the net
for an explaination; I found some people fix for Swfupload and
Uploadify/Paperclip but couldn't get a solution out of it.

(I'm using Rails 2.3.5 and Ruby 1.8.6 on this project, the Flash
application is in ActionScript 3 compiled for the player 10)

Still searching for a solution, if anyone could help. I really searched
the web and found some tips but I still couldn't find out a solution.
The upload stills work with IE and not with other browser. I read
somewhere that it could be a problem of session id and tried this fix
that supposed to override the middleware. But I don't think I understand
what my Flash should eventually send to work...

require 'rack/utils'

class FlashSessionCookieMiddleware
  def initialize(app, session_key = '_session_id')
    @app = app
    @session_key = session_key
  end

  def call(env)
    if env['HTTP_USER_AGENT'] =~ /^(Adobe|Shockwave) Flash/
      puts "***** yeaaahh I'm in the condition !"
      puts "***** Session key is : " + @session_key.to_s + " and @app :
" + @app.to_s
      params = ::Rack::Utils.parse_query(env['QUERY_STRING'])
      env['HTTP_COOKIE'] = [ @session_key, params['session_key']
].join('=').freeze unless params['session_key'].nil?
    end
    @app.call(env)
  end
end

By the way, this fix doesn't change that IE works anyway, and not FF nor
Opera...