Passing $_SESSION in uploadify

I am using uploadify to allow images upload in a form.

The issue i'm having is the following:

To submit the form, the user has to be logged in. The images, will ideally be uploaded to the path /uploads/

the problem is, the php script that uploadify's swf connects to doesn't get the sessions currently active. that means i can't do

<?php
// this would be the backend script that handles the upload

session_start();
$username = $_SESSION['username'];
$upload_path = "/uploads/$username/";

?>

Now, uploadify allows you to pass $_POST information to the php script in JSON format.

So I could do

scriptData: { username : '<?php echo $_SESSION['username'] ?>'}

in the javascript part and php would receive the variable. But this isn't secure....someone could just temper with the information and make {username: whatev开发者_运维百科er-he-wants}.

How can I get around this issue?

tl;dr - when using uploadify, how can i use existing $_SESSION variables in the backend script?

---

Insecure it is:

Send the session id with the request and have the server use that session id (if sent).

When I used a swf uploader, I did that. Something like this:

if ( !empty($_POST['sess']) ) {
    session_id($_POST['sess']);
}
session_start();

And on the page you make the request, you get the session id with:

<?php echo session_id(); ?>

Should work, but is not very secure either. My advice: don't use a swf uploader =) HTML5 introduces accept="mimetypes" and multiple as file input attributes. See the specs. If the client doesn't support HTML5 like this: too bad

---

Don't pass the user name - pass the whole session. This question shows how: Sessions and uploadify

In a nutshell, this should pass on the session:

'script'    : '/upload.php?<?= session_name(); ?>=<?= session_id(); ?>',