Ask a Jedi: Flash, ColdFusion and FIle Uploads

This post is more than 2 years old.

Asa asks an interesting question. I wasn't going to answer as Flash isn't my area really, but I had an idea and I figured I'd suggest it. Please feel free to correct me if this is dumb. Anyway, here is the question:

I'm trying to make a file unloader using Flash & ColdFusion. I have a flash file embedded on a page that let's the user select a file, which is then posted to a ColdFusion page for upload. The problem is that the Flash player doesn't post cookies on file uploads, so the ColdFusion page that's getting posted to is under a new session. Is there a way to append the cfid to the url and have ColdFusion use that session instead of making a new one?

So I was a bit surprised by this. I can't imagine why Flash would not do a 'normal' request and pass along the cookies. That being said - I think I know a way to do this. When you generate your HTML code to embed the Flash SWF, you can pass along the session.urltoken value via flash vars. The Flash app could read this and use it when it does its POST.


Any Flash users out there want to chime in? (I'm sure I must have at least one Flash guy reading the blog. He probably sits next to the one Photoshop guy reading my blog. ;)

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA

Archived Comments

Comment 1 by Asa posted on 4/10/2008 at 11:52 PM

Thanks Ray. The research I've done talks about how this is a problem with FireFox and Safari. Apparently IE works fine. The solution everyone suggests is to pass the session ID to the flash file and then append it to the URL. All the examples are using PHP though. So if my post URL is upload.cfm?cfid=1234 then how do I make CF use that session?

Here are some more blogs talking about the issue

Comment 2 by Raul Riera posted on 4/10/2008 at 11:52 PM

I discussed about this here before, it works in IE, but Safari or Firefox wont store the session on the request, my work around was to disable security for that specific .cfm upload file (havent seen another solution yet)

My file was site was protected via CFLOGIN, so I did this on the onRequestStart

<!--- Upload with Safari or Firefox? BUG --->
<cfif CGI.SCRIPT_NAME CONTAINS "admin/galerias/fotos/upload.cfm">

Then I skip the validation.

Comment 3 by Raymond Camden posted on 4/11/2008 at 12:00 AM

@Asa: CF supports receiving session info via the url. If you make a link like so:

a href="foo.cfm?#session.urltoken#"

This will append everything CF needs. So if you pass the value to Flash, and Flash does a post to


Then it should work just fine. You don't have to make CF work with it - it should "just work".

@Raul: Wow, I got to say though - I think thats a bad idea. It would let anyone upload files.

Comment 4 by Raul Riera posted on 4/11/2008 at 12:05 AM

I dont know how the security system works so I think I am wrong with this, but wont it be the same for the user to know the upload.cfm address with or without the session id? (in order to upload something with unrestricted access?)

Everyone can easily hit view source and see the var passed in to the swf via flashVars

Comment 5 by David Buhler posted on 4/11/2008 at 12:07 AM

You can call a CFC from within CFFile to retrieve session information, if I recall correctly.

Comment 6 by asa posted on 4/11/2008 at 1:36 AM

Thanks Ray!

Passing #session.urltoken# to the flash file and then appending it to the upload URL works great!

Comment 7 by Todd Rafferty posted on 4/11/2008 at 11:54 PM

@David: Huh? :P

Comment 8 by Raul Riera posted on 4/14/2008 at 2:31 AM


Im curious how you got that to work, its not working for me doing. Did you added the token to the upload method of actionscript or did you sent the token through the data property in the URLRequest class?

Comment 9 by David Buhler posted on 4/14/2008 at 9:21 PM

@The WebRat

I swear that's how I think i did it! I think. ;)

**all my advice comes without warranty and is given with only vague recollections of what once worked.

Comment 10 by David Buhler posted on 4/15/2008 at 8:13 PM

If the upload directory has its own Application.cfc...

Would it be possible to use the onRequestEnd method in the application CFC, to add a user's Session ID to the database table?

I envision doing a look-up of the last ID in the DB onRequestEnd.


Comment 11 by Asa posted on 4/15/2008 at 10:03 PM

@ Raul

I passed the upload path to the SWF as a variable:


you need the URLEncodedFormat around it because session.urltoken is actually 2 url variables.

Comment 12 by Saul posted on 3/1/2009 at 12:10 AM

I've been looking for several days at examples of using a flash file uploader. I was after single or multiple file uploads, a progress bar and the ability to add "vanilla" form fields. The most promising I found was the YUI uploader from those nice people at Yahoo

I got it working fine submitting to a simple CF page

<cfif structkeyexists(form,"Filedata")>
<cffile action="UPLOAD" filefield="Filedata" destination="#expandpath(".")#" nameconflict="OVERWRITE">

<cfif structkeyexists(form,"var1") and structkeyexists(form,"var2")>
<cffile action = "append" file = "#expandpath(".")#\log.txt" output = "var1 = #var1# var2 = #var2#">

I'm a complete novice with Javascript, PHP, flash in fact anything other than CF, so there's a bit I don't understand (well several ... but this one in particular!)

On the example in the YUI documentation they say they are using this PHP scrip to handle server side

1 <?php
2 foreach ($_FILES as $fieldName => $file) {
3 move_uploaded_file($file['tmp_name'], "./" . $file['name']);
4 echo (" ");
5 } ?>

The echo bit seems to "bounce back" the post data which is then picked up by the onuploadresponse(event). In CF how would I pass back some response to the calling page to fire this event?

Comment 13 by Raymond Camden posted on 3/2/2009 at 9:34 PM

ANything you would output in the CF page would be sent back. If you did


by itself, then that would return. In CF you don't have to echo anything, any non-code will just output (unless you have cfsetting enablecfoutputonly turned on, or cfsilent). So you don't have to do anything special here in that regard.

Comment 14 by Dan Rutledge posted on 8/1/2014 at 12:57 AM

I know this is an old post, but I recently discovered another issue with flash forms. If you are using a load balancer that utilizes a cookie for sticky sessions, you can't stick to the same server because the flash form doesn't send the cookie in the header. No way around this issue as far as I can see.