Does Flash Player transmit session cookies automatically?
Flash Player usually does its networking through the browser, in which case setting and getting cookies is entirely handled by the browser.
If a site sends Set-Cookie, that should work.
You can't access response headers from within Flash content, just as you can't access them from JavaScript; there are fundamental security reasons why this is so. However, it is possible that someday Flash Player might allow you to read cookies through a cookie API, just as JavaScript does. In the meantime, ExternalInterface will let you call over to JS to read cookies.
There is one case where Flash Player does not send cookies, or may even send the wrong cookies. That is when you are using FileReference.upload(). This is a known Flash Player bug, although a very difficult one for Adobe to solve, because of NPAPI dependencies.
BTW, JSESSIONID is considered insecure at this point. It is vulnerable to CSRF attacks because the browser will blindly send it, no matter whose document is making the request. Most modern login systems use a hidden form field or other means of keeping the login nonce accessible only to pages from within your domain.
Wish I could tell you why your particular app isn't sending cookies. Have you tried comparing it against an all-HTML version? Have you spied on both network streams with a packet sniffer?
The HTTP requests from Flash are sent through the browser - so yeah, the cookies are transmitted automatically. In fact, I am currently doing a site that handles logging-in (and hence setting the session cookie) in an HTML page and then forwards user to a Flash only page (). The flash page is sending a lot of requests to the server using URLLoader
& URLRequest
and I am able to verify the session cookie for each of those.
That said, you can access HTTP cookies from Flash using ExternalInterface.call(). Make sure allowScriptAccess in the SWF embedding code is set to appropriate value.
var cookies:String = ExternalInterface.call("function()
{
return document.cookie;
}()");
Update: I haven't tried that (login in flash), but you might be right - Flash might be ignoring the Set-Cookie
(or all) response headers. And unfortunately Flash does not let us access response headers either. But since it is possible to access the response headers in an AJAX response (using xhr.getResponseHeader
) you can use ExternalInterface
and outsource the login part to AJAX. Grab the headers in the AJAX response and set the cookie using javascript (according to this SO thread, browser will do that automatically). Once set, subsequent requests sent from flash would include the session cookie in them.
Use the ExternalInterface.addCallback
method to register a flash method to be callable from javascript.