Search code examples
securityfile-uploadcryptographyimage-uploadingasyncfileupload

Uploadify - secure way to upload pictures, visible only to the user that uploaded them

I'm using uploadify to upload images, but as I soon realised, the SWF object is not sharing the same session as the browser.

The reason I think I need the session is to make sure a "hacker" can't upload an image in the name of another user, or overwrite another user's image. I want each image to be 100% private to the uploader

Here are the options I see

  1. add the session id to the request along with the upload

  2. use some cryptography to

    • generate a random but hard to forge image id (e.g. sign a token server side that uses the user id and secret + a random UUID,
    • than save it in a table that will map user identifier to that token (token is the image id)
    • then pass it to the UI,
    • the SWF object will pass this token to the server, where I can verify it came from the server and not tampered by the user
    • then lookup that token in the table, save the image bytes under the placeholder with that token. (and I need to hope that this token is really globally unique forever, which I'm not sure is 100% statistically true, or is it? and if I have the one in a trillion duplicate image id, I can fail the upload and force the user to try again, right?

  3. some other option that is way simpler that I didn't think of (e.g. a non SWF solution, e.g. an ajax one? or just forget about the progress bar, it's not worth it, with our current bandwidth, most users won't even see it)

  4. just use a GUID, it's hard to guess and if someone managed to guess another user's GUID (e.g. the session id) than let him have the fun of overwriting someone else's image, it's not that they stole their credit card right?

Questions

  • Can I use option 1? is it safe?
  • If not, then is option 2 ok? is it too much or too less? is it reinventing the wheel? is there an easier way to get session-less safe image upload that certifies the sender without ability to forge from the client side?
  • Or perhaps there is an AJAX solution that doens't need SWF for a progress bar?
Solution

  • try this, it worked for me:
    Can't see any session values when using Uploadify in ASP.NET .
    The idea is you have to send the session id back to server and load the session depending on it.