Cookies are more appropriate for whole-site or whole-session data. There's no natural segregation of "this cookie belongs to this instance of this form". You could figure that out, but the additional moving parts cut down on the appeal.

▲

devnull3 2 days ago | parent [-]

Cookie is what we make of it. For browser, its opaque data anyway.

So, when /upload is requested, the backend in response sets a cookie with a random uploadId (+ TTL). At the backend, we tie sessionId and uploadId.

With every step which is called, we verify sessionId and uploadId along with additional state which is stored.

This means even if the form is opened on a different tab, it will work well.

▲

thefreeman 2 days ago | parent [-]

Thats... basically what the guy did? He just put the sessionId in the form data instead of a cookie.

	▲	devnull3 2 days ago \| parent [-]
		> He just put the sessionId in the form data instead of a cookie. This does not have the benefit of being usable across different tabs or even closing and re-opening the page. Besides, (a minor point) shoving all the state in the cookie makes code simple i.e. don't have use URL params.