Does Flash Player transmit session cookies automatically?

Question

There\'s no access to the HTTP cookies from within a Flash movie, but I now have repeatedly read that Flash Player is supposed to take care of session cookies automatically.

Answer 1

Flash Player usually does its networking through the browser, in which case setting and getting cookies is entirely handled by the browser.

If a site sends Set-Cookie, that should work.

You can't access response headers from within Flash content, just as you can't access them from JavaScript; there are fundamental security reasons why this is so. However, it is possible that someday Flash Player might allow you to read cookies through a cookie API, just as JavaScript does. In the meantime, ExternalInterface will let you call over to JS to read cookies.

There is one case where Flash Player does not send cookies, or may even send the wrong cookies. That is when you are using FileReference.upload(). This is a known Flash Player bug, although a very difficult one for Adobe to solve, because of NPAPI dependencies.

BTW, JSESSIONID is considered insecure at this point. It is vulnerable to CSRF attacks because the browser will blindly send it, no matter whose document is making the request. Most modern login systems use a hidden form field or other means of keeping the login nonce accessible only to pages from within your domain.

Wish I could tell you why your particular app isn't sending cookies. Have you tried comparing it against an all-HTML version? Have you spied on both network streams with a packet sniffer?