Well, if you use the httpOnly configuration ( and you need it !), Then it is not possible to pass the Play native auth cookie to Uploadify.
What I've done:
1. Do not protect the image controller with @With(Secure.class) , but use the before method instead:
@Before(unless = "uploadPost") public static void before() throws Throwable { Secure.checkAccess(); }
2. Pass two parameters from the controller, which displays the page on which the uploadify plugin is located: userId, and signedUserId
String userIdSignature = Crypto.sign(Long.toString(user.id)); render(..., user.id, userIdSignature);
3. Pass these two parameters to upload to the uploadPost method
public static void uploadPost(Upload upload, long userId, String userIdSignature) { assertEquals(userIdSignature, Crypto.sign(Long.toString(userId)), "Failed to authenticate user ID " + userId);
If for some reason you do not want the client to know their user ID, the alternative to signing encrypts the user ID.
Please note that you are still exposed to repeated attacks using this method, but I believe this is a common problem with Play (I could be wrong about that). You can add an expiration date to the signature to limit damage.