This content has been marked as final. Show 3 replies
If anyone else runs into this problem, here's what I've found. You can't count on receiving the UPLOAD_COMPLETE_DATA event but the COMPLETE event seems to consistently occur. This stinks as now I must create an additional query to get the status information for the upload. Can someone from Adobe explain to me why your upload is so braindead? From having to pass the real session id in the url and hack up backend authentication because for some unknown reason a new session is created for non-IE browsers to the old 2-pass posting to not being able to pass other POST params. I should be able to do this in one simple POST, but now I've got 3. 1 to create with my row info, 2 to upload, 3 to check status. Ridiculous.
I'm fairly certain the reason the upload has a different cookie/session is because it runs in another instance of the browser/player for the upload for security reasons. There are ways around this without passing the session id in the URL.
I do it in rails by returning an upload id number, along with an md5 hash of that id number. Then when my upload completes, I call my regular upload status URL (non-upload so having the correct cookie), and pass it the id and md5 hash (for cheap security that the original user is the one requesting the status). When I get the status request from the correct cookie, I assign it to that user/session.
I've never had any issues passing other variables, unless you mean specifically POST variables for the 65k limit versus 4k, though I've gotten variables with 9k in addition to an upload before so not sure what the limit is. Here is some code that allows my user to create a profile that either uploads or doesn't upload if they've added a picture or not:
Oops, looks like I didn't do my due diligence as I wasn't aware of URLVariable. That will help as now I can combine my create and upload request.
I'm not sure I understand what advantage the md5 hash has over putting the session id in the URL (and since I now know about URLVariable, I'll make it a POST param instead). The session_id is normally visible in the request as a cookie anyways so is their any additional security concern here?
Thanks for the help! I'm a little gunshy about making too many more changes now that I think its working ok. Demo #1 to the client involved a session timeout during the upload, so it failed after they waited an an hour for the upload to complete. After adding a session keep-alive ping, demo #2 didn't trigger the UPLOAD_COMPLETE_DATA so it never got shown as completed. Those two problems have nulled all previous attaboys.