Hello, I’m a web craftsman with a passion for the modern web. I build web applications and play with social services and communities.

June 19, 2009 at 6:23 pm

Recently I created a Flash-based file uploader for a website that was behind a HTTP Basic Auth.

Javascript calls flash for the file upload handling but Flash doesn’t know any browser cookies or any basic auth information. So the flash script always fails to upload the files since it can’t log into the basic auth area.

So I was looking for a workaround for this problem and came across a simple solution. You have to exclude the server-side script (async-upload.php in this example) that receives the uploads from Flash from the Basic Auth. To do so you can add the following lines to the .htaccess file in the same directory as the server-side script.

# Exclude the file upload script from authentication
<FilesMatch "(async-upload\.php)$">
Satisfy Any
Order allow,deny
Allow from all
Deny from none

Hope this will help someone.

4 responses to “Flash Uploads with Basic Authentication”

  1. Makoto says:

    This is good! Mahalo!

  2. cemilcelik says:

    thanks. good solution. it worked.

  3. WebDev says:

    Be careful. Doing this, you will be creating a major security hole, allowing any user to upload arbitraty files to your server.

  4. Matthias says:

    @WebDev this is not completely true. You are right about the fact that everyone who knows the URL can POST data to this endpoint without Basic Auth, but then your script should validate the session of the uploader or something else that makes sure it’s a valid upload. Basically you could deal with it the same way you deal with any CSRF attack and use some token only valid users have.

Leave a Reply