Flash Remoting: HTTPS & Internet Explorer
My initial experience with HTTPS Flash Remoting in Microsoft Internet Explorer was an absolute disaster! I was so frustrated as to why my remoting connection was working flawlessly in Mozilla Firefox and the MS Windows stand-alone Flash player, while not working at all in Internet Explorer. After hours of Google searches and digging through forum posts (which is probably where you are if you are reading this text), I decided to take matters into my own hands.
Let me preface my conclusion with a brief discussion on how Flash implements HTTP(S) connections. If your Flash application is loaded within a browser window, it actually uses the browser as an API of sorts for making HTTP(S) connections. If it is loaded within the stand-alone player, I am not certain, but I believe it uses a Flash specific browser built into that player.
Therefore, if connection problems are occurring only in Internet Explorer, then most likely it is a problem with either the communication with Flash and Internet Explorer, or Internet Explorer itself.
I have concluded that this problem is caused by the way that Internet Explorer handles the caching of HTTPS data. It appears as though Internet Explorer, if instructed to by the server, will cache all HTTP(S) data before giving it to Flash (if Flash initiated the request). For reasons that are unknown, the amount of time Internet Explorer takes to generate the cache on HTTPS data and hand it off to Flash causes Flash to timeout and fail on the connection. Therefore, this problem can be remedied by simply having your web server instruct browsers to not cache the HTTPS result for your remoting data.
There are many posts out there on how to disable caching. You can even use PHP and other scripting languages to output custom headers. However, I am confident that this solution is the easiest and most stable. Here are two simple steps that you can use to disable caching in Apache (1.x & 2):
- Install mod_headers. For those who are familiar with Apache modules, this should be a fairly easy step. Mod_headers is a very handy tool for generating custom headers for your web pages. (See http://httpd.apache.org/docs/1.3/mod/mod_headers.html for further info).
-
Place the following commands in your apache conf file or an .htaccess file within the scope of your remoting gateway:
Header unset "Expires"
Header unset "Pragma"
Header set "Cache-Control" "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
That’s it, you are done, and now IE can connect to your HTTPS remoting gateway with ease!
NOTE:
There is a security setting in Internet Explorer that can completely disable Flash Remoting over HTTPS. Users need to be certain that they have the following advanced security setting disabled for things to work properly.
Go to: “Tools� => “Internet Options� => Click on the “Advanced� tab. Make sure “Do not save encrypted pages to disk� is disabled or not checked.
This is AWESOME news! I can confirm that your solution works on my end too!
I had given up hope on this after all of my attempts back in May of last year. I ended up re-architecting my apps to accommodate this glitch after making sure they had worked flawlessly in the IDE and Mozilla/FireFox.
I almost knew it had to be something with the headers, but I apparently didn’t spend enough time thinking about it and/or try enough combinations.
This goes far and beyond making my day. This makes my year! I have so many other ideas and things that can be integrated into my apps because of your findings. Thank you so much for sharing your knowledge.
Jeff
Comment by Jeff — August 24, 2005 @ 12:02 am
Gary, you rock my socks off. You are like the boss of cows or something. This cashing thing is awesome. Way to solve the world’s problems.
Comment by bryce — August 24, 2005 @ 2:18 pm
I wonder if this is the case with Webservice calls over https?
Anyone had anyproblems….just a thought.
Nice work Gary this one will go into my bookmarks as Im sure it will come up at some stage. Im surprised more flash applications arent really using secure access. Luckly I havent seen any flash apps that take credit card numbers yet….A little cautious if I do to.
Cam
Comment by Campbell — September 1, 2005 @ 10:28 pm
I’ve done some testing on this and related issues.
I have loaded a SWF through IE on HTTP. From that swf I load into it a SWF through HTTPS, and then further I make HTTPS calls to PHP scripts from there which are returning XML data. From what I can tell, through sniffing all of the packets, that it is using the browsers secure connection to send and recieve any data from that point. I’ve not seen a problem approaching a Flash shopping cart transition from HTTP to HTTPS this way, but is this a good idea? From what I’ve tested, it seems that all traffic is still secure even though the initial load was a HTTP. I’m just not sure if its a good practice. Thoughts?
Comment by Tyler Boyd — September 14, 2005 @ 5:03 pm
Hi Gray,
I was reserarhing on Flash Remoting and I found a link to your website in http://www.flash-remoting.com/. This is such a helpfull tip for my future development of Remoting applications.
Thanks for you contribution.
Aaron.
Comment by Aaron — September 28, 2005 @ 4:11 pm
Hi Gary,
Just wanted to express how much I appreciate you posting this solution!
I’m building a site on a secure domain that uses PHP to generate the XML that flash needs to load in via an XML object. Until creating a .htaccess file with the header setups you describe, IE refused to let flash load the XML file in. Now everything works perfectly!
My forehead and the brick wall I’ve been bashing it against also send their thanks!
-josh
Comment by Josh — November 16, 2005 @ 5:19 pm
Hi, I’m having the same problem but I don’t have access to the apache conf file. Is their a way to set this in a .htaccess file?
thanks,
Kinoli
Comment by Kinoli — December 1, 2005 @ 11:35 pm
Awesome! Thanks Gary. This was exactly my problem with exactly the right solution. You’ve saved me a lot of time and work.
BTW, the “Do not save encrypted pages to disk� setting seemed to have no effect for me. As long as the HTTP headers were sent back correctly then everything worked.
Comment by Michael Hesler — December 9, 2005 @ 11:12 am
Hi Gary, thanks for posting this solution. It helped me a lot.
In my case, I used the header PHP function and only changed the Pragma header:
header(”Pragma: I-hate-internet-explorer”);
Those of you who also use PHP sessions will have to take extra care. You have to set this header after the session_start. If not, your custom header with be overwritten with session default header:
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Comment by jgomsi — December 19, 2005 @ 11:10 am
This doesn’t work for me. I have tried all of the suggestions above with no luck. Is there anyway I can use PHP to control this? Thank you.
Comment by Kyle — December 22, 2005 @ 9:59 am
Hi Gary
This was looking difficult whereby we were retrieving info from php pages into Flash over https. 2 minutes logging in and creating the file seemed to be sufficient. Interesting though, there was never a problem with Firefox accessing the same files.
Cheers
Dan
Comment by Dan — January 16, 2006 @ 8:37 am
i dont really understand how to do this…my laptop is fine but just the standalone player/flash 8 player is not working i see video but no sound…if you can help and break it down in simple easy steps that would be a big help…Thanks
Comment by kaye — February 1, 2006 @ 4:04 pm
Some one needs to set you up the bomb!! Thanks for the perfect fix!
Comment by Kevin — February 2, 2006 @ 4:39 pm
Many thanks for this perfect solution.. Our apps is working fine now..
It is very true that in every problem has a solution, if you cant figure out how to solve it, just search the world’s library- the world wide web.
Thanks Gary!
Army
Comment by Army — February 20, 2006 @ 6:09 pm
Thankyou Thankyou Thankyou Thankyou. As has been said already thankyou for sharing your knowledge this saved my brain from going to mush….i have felt your pain people..but now its over thanks again. I love the web.
Comment by Joseph — March 13, 2006 @ 12:45 am
Can this idea work without having to make every user of the site mess with their IE settings? It would seem to not be a realistic solution unless it can be made to work with IE’s default settings.
Comment by steve — May 31, 2006 @ 3:09 pm
Gary,
Thank you for this page! I built a flash remoting app
from Ming, PHP and Perl and it worked perfectly in FF, but
died in IE. You gave me the clue, and a few simple meta tags solved the problem for me.
In any case, you may want to change your text above…” and had it off to Flash”
should be “hand” it off to Flash — I belive that’s what you meant to write.
Again, thank you for your insight here! You ROCK, Dude!
Comment by Sam — June 15, 2006 @ 4:03 pm
This works for loading XML over SSL too, which suffers the same problem. I had tried lots of different header tweaks suggested on other sites and threads but any that worked ended up putting the xml file i was loading into the cache, which defeated the security i was trying to achieve with the ssl. This WORKS - loads the xml successfully without allowing the file to be cached.
Thanks Gary, you rock!
Comment by Sinead — November 21, 2006 @ 2:27 pm
I knew I had to do something with the headers, but I apparently didn’t spend enough time thinking about it and try enough combinations. Bu I ll do it after this great piece of Info.
Comment by Lauren — November 28, 2006 @ 1:08 am
Flash having problem ONLY With IE About Getting Session Controlled Dynamic XML over HTTPS.
Need Help?
Just add this after session start and BE SURE that you DID NOT send any data as output BEFORE that command
header(”Pragma: “);
for example
this fails…
this works…
Comment by Unal — February 24, 2007 @ 3:00 pm
header(�Pragma: “); was all I needed to do.
Saved my weekend!
I had been looking for a solution to why my XMLConnector didn’t work in IE all day. So I’m ading the words “XMLConnector” and “DataHolder” so that google picks up on this excellent solution.
Comment by Robotacon — March 24, 2007 @ 2:57 pm
Thanks. This was very useful for us.
Comment by Chelliah — April 25, 2007 @ 2:36 pm
Hi,
Great article!
Did anyone ever get around haveing to get users to manually set their internet options?
How can I make it work with out getting them to set their internet options?
Comment by Marcusvm — May 15, 2007 @ 6:07 pm
hi ,
i am IT engineering student.
me and my friend is working for BE project ,our poject is web based application in which we are using https request ,we embeded flash object in our page but it is not working .we are using jsp,tomcat for this .please suggest some solution.
Comment by somnath — March 31, 2008 @ 6:53 am
would anyone happen to know how to add this to a tomcat .war deployment?
Header unset “Expires”
Header unset “Pragma”
Header set “Cache-Control” “no-store, no-cache, must-revalidate, post-check=0, pre-check=0″
Comment by nick — June 2, 2008 @ 7:44 pm
I had made these header changes and they didn’t seem to work at first. It seemed that I had to clear my cache and delete my temporary internet files and then my Flash file loaded fine. Thanks for the great help!
Comment by Scott — June 3, 2008 @ 6:46 am
For me the problem was solved by adding following two lines to the http header:
Pragma: private
Cache-Control: private
Comment by Stefan — June 5, 2008 @ 1:12 am
credit cards to fix credit
This is a great blog. I have to put a bookmark on it and come back again!
Trackback by credit cards to fix credit — October 6, 2009 @ 12:57 am
THANK YOU - My OpenLaszlo App is up and working on IE over HTTPS again!!!
Comment by ScottH — January 27, 2010 @ 11:51 pm