1

I have an idea of a solution for a problem and I want professional insight on it's pros and cons and suggestions

The problem: I have a form and inside this form there will be form fields and an Asynch uploading tool that uses ajax to upload files to the server (to be specific it's blueimp's jquery file uploader). I need to link the already uploaded files to the submitted form's contents without involving the client side in identifying relations (as the request may be forged to link unrelated files and gain access to them)

The idea of the solution: using the antiForgeryToken provided in ASP.NET MVC framework as a form identifier (since it is generated with every loaded form) and send its value along with the uploaded file and keep a record of it with the files' entity (id, name, ..., tokenAsClassifier). then when the form is submitted, the token will be the same and I can check which files were uploaded from the same form and link them to the same entity that contains the form values.

The idea seems to work but I would love to hear your thoughts of what could be wrong and what better solutions are there (I already searched and found nothing so far)

Known cons:

1- only works for forms using HttpPost requests

2- Files will be uploaded whether the form is submitted or not

Thank you in advance,

Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70
CME64
  • 1,673
  • 13
  • 24
  • 1
    Since files could be uploaded then the form abandoned regardless of how you protect the process, you'll need a process to clean-up. I had an extra boolean field in the DB that got set to true when the corresponding form was processed. A scheduled task could then remove all uploads where the is flag was false. – Simon Halsey Jun 11 '14 at 10:07
  • @SimonHalsey I was thinking of the same thing but in another approach, thanks for sharing the idea and confirming its applicability – CME64 Jun 11 '14 at 10:35

0 Answers0