<<< Back to the TFU FAQ

TFU flash upload faq image 22. How to change the session name

Some of you might use a different session name than the default one which is called PHPSESSID. This can be of security issues or if two independent sessions are used for different areas.

If you want that TFU does also use your session a few things have to be done:

  1. Use at least TFU 3.0
  2. Add the session name and session id in the page that calls the flash.
  3. Modify tfu_session.php like described below.

Quick start guide

To change the session name to e.g. "foo" please perform the following steps

  1. Add the session name to flash: tfu_3.0.swf?session_name=foo
  2. Optional: Add the session id to the flash: tfu_3.0.swf?session_name=foo&session_id=<?php echo session_id(); ?>.
    This is only needed If Javascript is not available. Otherwise TFU does read this automatically.
  3. Uncomment line 19 in tfu_session.php and set session_name('foo');
  4. Replace 'TFUSESSID' with 'foo' in tfu_session.php in line 23 and 24.

Done !

Detailed explanation

First I want to explain why so much stuff ist needed. Lets assume you are already logged in your application with the session name 'foo'. Then a cookie does exist with the name foo and the session id in it. Normally this is sent with each request and everything is fine. You set the session name to foo in the application and the right session would be used.

So you might think if you would only do Step 3 of the guide above it actually should work. Unfortunatelly not all flash browser plugins (e.g. in Firefox) do send cookies properly with the upload request. So you would be able to go to a directory in TFU but when you upload the session is lost and you are logged out.

TFU does therefore additionally add the session id with each request. TFU does read this by Javascript and if Javascript is not available it gets it with the configuration from the server. TFU does use the variable TFUSESSID because on some servers (with php_flag session.use_trans_sid=off) the PHPSESSID is stripped from the request. This is why step 2 is optional. If you are not sure that Javascript is available you can add the session id to the flash. Then you are sure that the flash is using your session and not a new one is opened. TFU would work fine with a new one but you won't be able to read any variables from your session.

So why are 1 and 4 needed? The Javascript reads the default cookie PHPSESSID. So if you set session_name=foo (step 1) then the cookie foo is read and also TFUSESSID is not used as key for the session id anymore but foo. So in the request you see foo=<session id>. And now step 4 is needed to tell php which parameter is the session id.

Like all flash upload solutions this raises the problem of session fixation. This is solved by using an additional random number and some internal checks on each request.

 

 

 

 

Follow TWG at
Twitter


Like TWG
on Facebook