Cookie is what we make of it. For browser, its opaque data anyway.

So, when /upload is requested, the backend in response sets a cookie with a random uploadId (+ TTL). At the backend, we tie sessionId and uploadId.

With every step which is called, we verify sessionId and uploadId along with additional state which is stored.

This means even if the form is opened on a different tab, it will work well.

Thats... basically what the guy did? He just put the sessionId in the form data instead of a cookie.

	▲	devnull3 2 days ago \| parent [-]
		> He just put the sessionId in the form data instead of a cookie. This does not have the benefit of being usable across different tabs or even closing and re-opening the page. Besides, (a minor point) shoving all the state in the cookie makes code simple i.e. don't have use URL params.