I have 2 concerns with the method "Save forms and continue later".

  • smoulec_good360
    Asked on October 23, 2017 at 1:17 PM

    I have 2 concerns with the method:

    1) The URL variables are not obfuscated in any way so by filling out the form with dummy data, it is not very hard to figure out the URL structure and spoof it.

    2) I tried to fill out the demo form ( https://form.jotform.com/60873864629975 ) which gave me a link to https://form.jotform.com/60874096771971?session=jdoe@aol.com . Just by changing jdoe@aol.com to test@test.com, I was able to see another form entry made under that email address.

    What are best practices to introduce some level of security in the process?

  • Kevin Support Team Lead
    Replied on October 23, 2017 at 2:37 PM

    1. Please note that if you load the form's link with the session passed over, you will be able to see the data without needing to pass anything through the URL. Now, if you're passing some data through the URL your users are still able to change any value or remove any parameters if they want. 

    2. Since the data is saved on our servers using the session, everyone with the session will be able to view the data. 

    Currently, there is not a way to prevent this since anyone with the custom link will be able to view the already saved information, but if you would require to have data saved and be available only to one user you may implement the auto-fill feature that will save the data on the browser's cache so anyone else can access it. 

    https://www.jotform.com/help/227-How-to-Enable-Auto-Fill-on-Forms 

    I hope this helps. 

  • tomoski
    Replied on November 15, 2017 at 6:11 AM

    My own experience:

    For the "?session=" identification value I've used a form widget generating a unique random value (this: https://widgets.jotform.com/widget/random_value_generator).

    I've set it to create a string of 15 alphanumeric characters with lower and uppercase, but you can set it also to 50 characters, if you wish... 

    In this way it is harder (almost impossible...but not fully impossible...) to get the correct session's URL of the main form. 

    hope it helps. 

  • Rose
    Replied on November 15, 2017 at 8:35 AM

    I'm sorry but I can not figured out the exact problem you are having. I sent a test submission to the form https://form.jotform.com/60873864629975 and I saw the following thank you page:

    1510752846Screen Shot 2017 11 15 at 16 Screenshot 10

    Then, I clicked to the URL on the form and did not find the Random Value Generator Widget. However, save and continue feature works as how it should be. Could you please elaborate the problem you are having with the Random Value Generator widget? 

  • tomoski
    Replied on November 15, 2017 at 8:38 AM

    No sorry, I wasn't clear: I have no problem, it was a suggestion to smoulec_good360 in case he/she would like to "increase" the security of the URL with a random number. 

  • aubreybourke
    Replied on November 15, 2017 at 9:39 AM

    Yes that's right. If you know the session variable ( email address ) you would be able to view the submission and edit it.

    And as noted by user Tomoski using a random value generator widget would allow you to create a much more secure session id.

    https://widgets.jotform.com/widget/random_value_generator