Uploadify - is there a secure way to upload pictures, visible only to the user that uploaded them?
-
See question in SO http://stackoverflow.com/questions/9946427/uploadify-secure-way-to-upload-pictures-visible-only-to-the-user-that-uploade I'm using uploadify to upload images, but as I soon realised, the SWF object is not sharing the same session as the browser. The reason I think I need the session is to make sure a "hacker" can't upload an image in the name of another user, or overwrite another user's image. I want each image to be 100% private to the uploader Here are the options I see add the session id to the request along with the upload use some cryptography to generate a random but hard to forge image id (e.g. sign a token server side that uses the user id and secret + a random UUID, than save it in a table that will map user identifier to that token (token is the image id) then pass it to the UI, the SWF object will pass this token to the server, where I can verify it came from the server and not tampered by the user then lookup that token in the table, save the image bytes under the placeholder with that token. (and I need to hope that this token is really globally unique forever, which I'm not sure is 100% statistically true, or is it? and if I have the one in a trillion duplicate image id, I can fail the upload and force the user to try again, right? some other option that is way simpler that I didn't think of (e.g. a non SWF solution, e.g. an ajax one? or just forget about the progress bar, it's not worth it, with our current bandwidth, most users won't even see it) just use a GUID, it's hard to guess and if someone managed to guess another user's GUID (e.g. the session id) than let him have the fun of overwriting someone else's image, it's not that they stole their credit card right? Questions Can I use option 1? is it safe? If not, then is option 2 ok? is it too much or too less? is it reinventing the wheel? is there an easier way to get session-less safe image upload that certifies the sender without ability to forge from the client side? Or perhaps there is an AJAX solution that doens't need SWF for a progress bar?
-
Answer:
SWF is never safe. This is what I recon: Use HTML5 (canvas) to upload images. This way you can instantly show the preview (without uploading to server). You can also allow user to crop / verify the image before uploading to server. You can encode/encrypt the image content (eg 2-3 time base64_encode) at client end. before sending to the server Make sure you upload on SSL ie over https For added security you can add HMAC_HASH of the image content to avoid MITM attack. Good luck !
Rochak Chauhan at Quora Visit the source
Related Q & A:
- How to upload pictures from my Sony Cybershot?Best solution by Yahoo! Answers
- How can I upload pictures directly from Facebook to MySpace?Best solution by answers.yahoo.com
- How to upload pictures onto the computer?Best solution by Yahoo! Answers
- Is there a way to email pictures to your phone?Best solution by techlife.samsung.com
- Is there a way to send pictures from my computer to a cell phone?Best solution by Yahoo! Answers
Just Added Q & A:
- How many active mobile subscribers are there in China?Best solution by Quora
- How to find the right vacation?Best solution by bookit.com
- How To Make Your Own Primer?Best solution by thekrazycouponlady.com
- How do you get the domain & range?Best solution by ChaCha
- How do you open pop up blockers?Best solution by Yahoo! Answers
For every problem there is a solution! Proved by Solucija.
-
Got an issue and looking for advice?
-
Ask Solucija to search every corner of the Web for help.
-
Get workable solutions and helpful tips in a moment.
Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.