- smoulec_good360Asked on October 23, 2017 at 01:17 PM
I have 2 concerns with the method:
1) The URL variables are not obfuscated in any way so by filling out the form with dummy data, it is not very hard to figure out the URL structure and spoof it.
2) I tried to fill out the demo form ( https://form.jotform.com/60873864629975 ) which gave me a link to https://email@example.com . Just by changing firstname.lastname@example.org to email@example.com, I was able to see another form entry made under that email address.
What are best practices to introduce some level of security in the process?
This is a re-post of a comment on How to Save Forms and Continue Later
- JotForm SupportKevin_GAnswered on October 23, 2017 at 02:37 PM
1. Please note that if you load the form's link with the session passed over, you will be able to see the data without needing to pass anything through the URL. Now, if you're passing some data through the URL your users are still able to change any value or remove any parameters if they want.
2. Since the data is saved on our servers using the session, everyone with the session will be able to view the data.
Currently, there is not a way to prevent this since anyone with the custom link will be able to view the already saved information, but if you would require to have data saved and be available only to one user you may implement the auto-fill feature that will save the data on the browser's cache so anyone else can access it.
I hope this helps.
- tomoskiAnswered on November 15, 2017 at 06:11 AM
My own experience:
For the "?session=" identification value I've used a form widget generating a unique random value (this: https://widgets.jotform.com/widget/random_value_generator).
I've set it to create a string of 15 alphanumeric characters with lower and uppercase, but you can set it also to 50 characters, if you wish...
In this way it is harder (almost impossible...but not fully impossible...) to get the correct session's URL of the main form.
hope it helps.
- JotForm SupportRoseAnswered on November 15, 2017 at 08:35 AM
I'm sorry but I can not figured out the exact problem you are having. I sent a test submission to the form https://form.jotform.com/60873864629975 and I saw the following thank you page:
Then, I clicked to the URL on the form and did not find the Random Value Generator Widget. However, save and continue feature works as how it should be. Could you please elaborate the problem you are having with the Random Value Generator widget?
- tomoskiAnswered on November 15, 2017 at 08:38 AM
No sorry, I wasn't clear: I have no problem, it was a suggestion to smoulec_good360 in case he/she would like to "increase" the security of the URL with a random number.
- JotForm SupportaubreybourkeAnswered on November 15, 2017 at 09:39 AM
Yes that's right. If you know the session variable ( email address ) you would be able to view the submission and edit it.
And as noted by user Tomoski using a random value generator widget would allow you to create a much more secure session id.