encrypting query string

  • Thread starter Thread starter Onur Bozkurt
  • Start date Start date
O

Onur Bozkurt

I'am sending some data by the querystring. But I don't want it to be
seen exactly because of security reasons. Is there a way to encrypt it
and later decrypt when reading the querystring...?
I would be very happy with some sample code.
 
It's generally a bad idea to send any sensitive data using the querystring,
for security purposes.

You'll need to encrypt using the System.Security.Cyptography classes. What
you can do is use RC4 encryption to encrypt your string, and then convert it
to Hex so it can safely be passed in the querystring.

I've done this in classic ASP, but haven't got round to converting it to
..net yet, so unfortunately I don't have a code sample. If you'd like to see
the classic ASP version, let me know.

Hope this helps,

Mun
 
The real problem with this situation is that he wants to encrypt data and
then put it into the Query String. If that data controls the functionality
of the page, it doesn't matter whether it's encrypted or not. The URL will
still invoke the functionality in the page that the Query String parameter
specifies, regardless of the user's ability to understand it.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
Big things are made up of
lots of little things.
 
I couldn't understand what exactly you wan't to say because of my poo
english. You mean is it still unsecure.?
Is there a way to do this in a more secure way...?
 
It would be better to store sensitive information on the server, and avoid
it going out to the client in any way whatsoever.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
Big things are made up of
lots of little things.
 
You are assuming the program will understand the querystring and will be
able to decrypt it and run the logic.

But if the key is in the session variable, then a new person, even with the
url, would not be able to run the program because the server would unable to
decrypt the info without the key in the session variable.

It does not matter if the user can/cannot understand the querystring. If
the server cannot understand the querystring at a later time, then the
problem is solved, no?

Would this work?
 
Let me explain it from the beginning.

This is an e-commerce site without a ssl certificate. So when the user ready
to give his/her credit card number I will redirect the user to a new
web-site with a ssl certificate.
This wasn't my choice but it should be in this way and can't be changed.

So when redirecting the user I should send the orderid, userid, amount will
be paid,.... to the new page. But I don't want these values to be seen
clearly.
 
Definitely do-able. You could encrypt a string using a private key, and
then hex the value (as often, encrypted strings are non-ascii, and you'll
end up with a very messy URL). Pass the hex in your querystring, and then
decrypt it on the other end. The querystring is encrypted, so if the user
messes with it, the server will simply be unable to decipher it on the
receiving end and discard it.

I've converted a class I wrote in class ASP to do this, to ASP.NET (though
it's not using the new security classes, yet). If you're interested in
this, drop me a line.

Mun
 
Why not post the form directly to the SSL site?

Alternatively, break your order into two steps. The first when the order is
written to the database on your end, and then have a form with a bunch of
hidden fields with the Order ID, User ID, Amount, etc and a submit button to
the SSL Site saying something like "Click here to pay securely with your
credit card".

The form would be submitted to the SSL site, which could use it as required,
and the user would be able to enter their credit card details to complete
the transaction.

If you need to do it without user interaction - i.e. you cant implement the
above scenario where the user has to click a button, then you could, from
code dynamically build a form with hidden fields containing the data you
need to pass across to the SSL site, and then use JavaScript to
automatically post this form.

Hope this helps,

Mun
 
Back
Top