Flash File Upload and Session Cookies

Ran into this issue the other day, so I wanted to post this in case anyone else ran across it.

Normally, flash will send cookie data along with calls to the server using load vars, xml, etc. The one exception I seem to have found is with FileReference.upload(), which doesnt send them at all. I was sending the file to a java backend, and we found the solution to be to append the session cookie to the url, using a special syntax:


Notice that the ‘;jsessionid=’ part must be sandwiched between the file name and the query string in order to work properly (and not simply appended as a variable to the query string).

14 thoughts on “Flash File Upload and Session Cookies”

  1. I used your syntax:

    file.upload(“http://www.mysite.com/UploadServlet;jsessionid=” + session + “?param1=” + param1 ..etc

    but the session is still not sended (I get a new one in the upload servlet).
    This is happening in Firefox (and probably in Safari – not tested).
    Did you test the solution in Firefox? If it worked, the cookies on your browser were disabled?

  2. this post was referencing sending session ids to java in flash player 8, which did not have a postData property at the time. I haven’t worked with this in a while, but if I remember correctly, we couldn’t simply pass in the sessionID as a variable anyway…we needed this specific syntax in order for java to properly access it.

  3. i managed to work around this bug using flex and java web filter

    Flex Code :

    var urlVars:URLVariables = new URLVariables();
    urlVars.jsessionid = sessionID;

    var uploadUrl:String = “http://localhost:8080/mywar;jsessionid=”+sessionID;
    uploadUrl += “?”+getClientCookies(); //put all client cookies on the query string
    var urlRequest:URLRequest = new URLRequest(uploadUrl);
    urlRequest.method = URLRequestMethod.POST;
    urlRequest.data = urlVars;

    //will go first time and get the cookies set see flex docs
    var testUpload:Boolean = true;


    package com.mywar.fileupload;

    import java.io.IOException;
    import java.util.Enumeration;

    import javax.servlet.Filter;
    import javax.servlet.FilterChain;
    import javax.servlet.FilterConfig;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.http.Cookie;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;

    * @author orasio – spieler
    * This filter comes to solve the Firefox ,Chrome and SAFARI file upload issue
    * The problem was that the file uploaded by the flex
    * FileReference came with a different session and no cookies
    * To solve this problem do the following :
    * don’t forget to add this filter to the web.xml file
    public class FileUploadFilter implements Filter {

    private static final String CONTENT_LENGTH = “content-length”;
    private static final String UPLOAD_SITE_PATH = “/”;
    private static final String JSESSIONID = “JSESSIONID”;

    public void init(FilterConfig filterConfig) throws ServletException {

    public void doFilter(ServletRequest request,
    ServletResponse response,
    FilterChain filterChain)
    throws IOException, ServletException {
    if ((request instanceof HttpServletRequest)
    && (response instanceof HttpServletResponse)) {
    HttpServletRequest httpRequest = (HttpServletRequest) request;

    //httpRequest.getHeader(“user-agent”); //Shockwave Flash
    String contentLength = httpRequest.getHeader(CONTENT_LENGTH);
    boolean isFlexTest = (contentLength!=null
    && Integer.parseInt(contentLength)==0);
    HttpServletResponse httpResponse =
    (HttpServletResponse) response;
    setAllClientCookie((HttpServletResponse)response, httpRequest);
    PrintWriter out = httpResponse.getWriter();
    filterChain.doFilter(request, response);

    * write all cookies back to the flex test response
    private void setAllClientCookie(HttpServletResponse httpResponse,
    HttpServletRequest httpRequest) {
    Enumeration parameterNames =
    while (parameterNames.hasMoreElements()) {
    String cookieName = (String) parameterNames.nextElement();
    //since we get IllegalArgumentException: Cookie name “JSESSIONID” is a reserved token

    if(!cookieName.contains(JSESSIONID)) {
    Cookie cookie =
    new Cookie(cookieName, httpRequest.getParameter(cookieName));

    public void destroy() {


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>