Reputation: 1672
AntiForgeryToken as HTML Form identifier
I have an idea of a solution for a problem and I want professional insight on it's pros and cons and suggestions
The problem:
I have a form and inside this form there will be form fields and an Asynch uploading tool that uses ajax to upload files to the server (to be specific it's blueimp's jquery file uploader). I need to link the already uploaded files to the submitted form's contents without involving the client side in identifying relations (as the request may be forged to link unrelated files and gain access to them)
The idea of the solution:
using the antiForgeryToken provided in ASP.NET MVC framework as a form identifier (since it is generated with every loaded form) and send its value along with the uploaded file and keep a record of it with the files' entity (id, name, ..., tokenAsClassifier). then when the form is submitted, the token will be the same and I can check which files were uploaded from the same form and link them to the same entity that contains the form values.
The idea seems to work but I would love to hear your thoughts of what could be wrong and what better solutions are there (I already searched and found nothing so far)
Known cons:
1- only works for forms using HttpPost requests
2- Files will be uploaded whether the form is submitted or not
Thank you in advance,
Upvotes: 1
Views: 235
Answers (0)
Related Questions
- How to add Html.AntiForgeryToken to ActionLink and RedirectToAction?
- Generating AntiForgeryToken in WebForms
- Adding AntiForgeryToken to non-Ajax Form Submit
- AntiForgery implementation in Asp.net Forms
- AntiforgeryToken & many forms perf
- Does the AntiForgeryToken need to be inside a form tag
- Using the MVC3 AntiforgeryToken with links?
- AntiForgeryToken causing redirect loop
- How to pass through the AntiForgeryToken in MVC
- Dynamic Forms and AntiForgeryToken MVC