Upload not working for anonymous users

We start session in plupload_element_process(), which means that even anon users will get session. Token should work with every user that has a session, even anonymous. Are you using the latest stable release of this module?

Can you double check this? I remember testing with anon users a while ago and it worked as expected.

I've got Plupload in a custom module and I'm having the same problem. Registered users can upload fine but when trying as anonymous I get this error

Failed to load resource: the server responded with a status of 403 (Forbidden) http://colorgenetics.info/plupload-handle-uploads?plupload_token=OsU5vm632DkConIfh6t2jiGbxoIDyjX2X4jOM9iXULk

Not sure if it makes a difference but I'm using nginx with Perusio's config I'm not using the dev version though I'm using 7.x-1.4

I found this solution useful:
http://blog.rwky.net/2011/09/drupal-7-anonymous-sessions.html

I added a line in my form definition:

function mymodule_myfunction_form($form, &$form_state){
  $_SESSION["anonymous-tracker"]=time();
  ...

And now it works perfectly

Had an already working form with a mupload widget + plupload.
Made that form accessible anonymously and it didn't work (yellow exclamation sign).
Googled for it and patch #1 solved the issue without affecting authenticated users.

As already mentioned in #3 I'm against disabling token protection for anonymous users.

Plupload *should* work for anonymous users, but it will create a session for that. Please let me know if it doesn't.

I also tried to make the plupload field useable by anonym users, but I also got the mentioned 'Forbidden (403)' response for every images.

I use the following modules and lib:

• FileField Source 7.x-1.9
• FileField Source Plupload 7.x-1.1
• Plupload integration 7.x-1.6
• Plupload 1.5.8

It works fine to authenticated users, but doesn't work for anonyms.
I can confirm that patch #1 fixes the problem.

I have some potentially interesting data on this issue. I have an older inherited site, Drupal 7.2, but latest Plupload (1.6) and js lib (1.5.8).

I'm using Plupload with pure FAPI code much like in the docs https://www.drupal.org/node/1647890 - with no other modules. The Form, of course, works perfect for Admin user, but essentially not at all for anonymous users; although if you cleared cache the first anon upload or two might work - it was unpredictable though.

After reviewing this thread, and the other one, https://www.drupal.org/node/1426088 , and pretty much anything else I could Google, I was still stuck (and not wanting to just disable token protection.)

Long story short, after lots of other tries, I eventually:

1. Tried #5 above (didn't work), but the interesting thing about that is the source for that (follow link) uses _preprocess_node(), which I tried (didn't work) but got me thinking perhaps the session wasn't being created "early enough".
2. Guessing then that having a $_SESSION variable still wasn't sufficient, I copied in the original patch (the session check/create code block) https://www.drupal.org/files/1426088_plupload_anonymous_uploads_12.patch - into _preprocess_node (didn't work).
3. Then I noticed this comment about similar code "clobbering" the session in Forms https://api.drupal.org/comment/55243#comment-55243
4. So I commented out the code from the original patch, and voila it worked without fail!

I haven't tried it without the original patch in _preprocess_node() so I don't know if that's necessary. (At this point I've wasted too much time already)

I suppose that's still a long story, but I have a couple theories - but this is all in deep area of Drupal I'm not really familiar with:

• Something else in my inherited site was already creating anon sessions and the original patch in plupload_element_process was "clobbering" the session.
• My attempt to use the original patch in _preprocess_node() was being clobbered by similar code in plupload_element_process.
• Having the patch only in plupload_element_process is "too late" in the Drupal process.

Anyway, hope this helps someone. Thanks.

I know this is a pretty old issue and might not be relevant for most users, but I figured a way to deal with this issue.

Drupal 7 stopped creating sessions for anonymous users a while ago, so it seems to keep regenerating the session_id() used for the tokens. So what you need to do is, force Drupal to create and store an anonymous session. Drupal will only store the session, if it contains values. So you need to store at least some random value in the $_SESSION array. I did this in a hook_init() function. Drupal now creates a database record for the anonymous user. This way anonymous uploads work and authorization through token works too.

Please note, that I don't know why Drupal stopped creating sessions for anon users. It might be because of performance issues or something else. So maybe, if we force the old behaviour we should either make a note to the readme file or have a checkbox for users, where they can allow anonymous uploads.

Had a typo in the last patch...