Securely upload file to alternate server C# .net 2.0

Question

I have a C# web application on .net 2.0 being hosted on server A. The web application allows users to upload files using <input id="File1" name="filMyFile" type="file" runat="server" /> to server A. This all works just fine.

I am now being asked to modify the web application to allow pages being served by A to allow uploading directly to server B without storing any information on A not even temporarily.

I am being asked to do this for security reasons. I was thinking about possibly using an iframe and having server B only host the upload portion wrapping the request with SSL. I am not entirely sure of the security implications of doing this, however I have seen a few websites in which for their login controls they SSL only an iframe which contains the login portion and the rest of their site was unsecure.

Is this an OK thing to do? Can someone recommend a better way? Perhaps suggest a basic architecture.

Answer 1

Why don't you just set the form action to the SSL secured page on server B?

<form method="POST" action="https://serverb/uploadmanager.ashx" ...>

Answer 2

I have used the iframe approach, where the iframe code with the upload form is hosted on Server B. It worked reasonably well. You could also host the entire page on Server B if you want.

Answer 3

You could also write the file directly to a SQL db. I prefer this approach from a security standpoint as the file never lives on the server hard drive. It could then be shared between the two servers.

The flip side is that it is more difficult to do AV scanning on files that aren't first written to disk.