Session flash not working in Safari
I have a music streaming site I've built in Laravel 5. As a precaution to keep people from downloading the MP3s I have the front end ajax get request a one time token to download. I know this isn't super secure I just wanted to put something in place to sway novice web users from grabbing my songs. This method works great everywhere but Safari. Here's a streamlined version of how the stream is delivered:
Route
Route::get('/streamsong/{id}/{token?}', 'StreamController@setupStream');
Controller
public function setupStream($id, $token = null)
{
if ($token == null && Request::ajax()) {
$sessionToken = str_random(40);
Session::flash('songToken', $sessionToken);
return response($sessionToken);
}
if ($token == Session::get('songToken') ) {
$post = Post::find($id);
$pathToFile = base_path().'/storage/app/mp3/'.$post->song_path;
$fileSize = filesize($pathToFile);
$name = $post->song_path;
$headers = array(
'Content-Type'=>'audio/mpeg',
'Pragma'=>'public',
'Content-Transfer-Encoding' => 'binary',
'Expires'=> 0,
'Cache-Control'=> 'must-revalidate, post-check=0, pre-check=0',
'Filename'=>$name,
'Connection'=> 'keep-alive'
);
return response()->download($pathToFile, $name, $headers);
}
}
This works fine in Chrome and Firefox, but in Safari the Session is getting lost for some reason. If I swap out the Session::flash with a Session::put it works in Safari but this bypasses the mp3 download security because I can't remove the songToken variable from the session before the response()->download has begun.
If I flush the session anytime before the response()->download line Safari fails. It would seem Safari is making multiple requests and the Session data has already been destroyed on the second attempt. However looking at the timeline console in Safari I only see one request. I've tried different session drivers to no avail, really curious what could be causing the snag here.
Please or to participate in this conversation.