diff --git a/app/models/filedrop_file.rb b/app/models/filedrop_file.rb
index 39f72ba6246ae5507bdfd1de72e11154488d1803..235a5b14589009f47cb49679fc09a675a83cd85b 100644
--- a/app/models/filedrop_file.rb
+++ b/app/models/filedrop_file.rb
@@ -1,5 +1,6 @@
 class FiledropFile < ApplicationRecord
   belongs_to :session
+  validates :checksum, presence: true, format: { with: /\A[0-9a-fA-F]+\z/, message: "only allows hexadecimal characters" }
 
   def sanitize_filename(filename)
     filename.gsub(/[^\w\s.-]/, '_')
@@ -36,6 +37,6 @@ class FiledropFile < ApplicationRecord
       session.ref_id
     )
     FileUtils.mkdir_p(dir)
-    return File.join(dir, name)
+    return File.join(dir, checksum)
   end
 end
diff --git a/app/models/session.rb b/app/models/session.rb
index c53117272523c053cc16b7e0fbe2b21612f3992e..ffeaad4c34f04f49351d35da8e2bcd27cfe8bb03 100644
--- a/app/models/session.rb
+++ b/app/models/session.rb
@@ -13,6 +13,7 @@ class Session < ApplicationRecord
   scope :future, -> { where(starts_at: Time.now..) }
 
   validates :ref_id, uniqueness: { scope: :conference_id }
+  validates :ref_id, format: { with: /\A[0-9a-fA-F-]+\z/, message: "only allows hexadecimal characters and minus" }
 
   after_update :notify_if_changed