Professional Web Applications Themes

encrypting query string - ASP.NET General

I'am sending some data by the querystring. But I don't want it to be seen exactly because of security reasons. Is there a way to encrypt it and later decrypt when reading the querystring...? I would be very happy with some sample code....

  1. #1

    Default encrypting query string

    I'am sending some data by the querystring. But I don't want it to be
    seen exactly because of security reasons. Is there a way to encrypt it
    and later decrypt when reading the querystring...?
    I would be very happy with some sample code.

    Onur Bozkurt Guest

  2. #2

    Default Re: encrypting query string

    It's generally a bad idea to send any sensitive data using the querystring,
    for security purposes.

    You'll need to encrypt using the System.Security.Cyptography classes. What
    you can do is use RC4 encryption to encrypt your string, and then convert it
    to Hex so it can safely be passed in the querystring.

    I've done this in classic ASP, but haven't got round to converting it to
    ..net yet, so unfortunately I don't have a code sample. If you'd like to see
    the classic ASP version, let me know.

    Hope this helps,

    Mun




    "Onur Bozkurt" <onur.bozkurt▀ofthome.net> wrote in message
    news:OzJbesRUDHA.1588TK2MSFTNGP11.phx.gbl...
    > I'am sending some data by the querystring. But I don't want it to be
    > seen exactly because of security reasons. Is there a way to encrypt it
    > and later decrypt when reading the querystring...?
    > I would be very happy with some sample code.

    Munsifali Rashid Guest

  3. #3

    Default Re: encrypting query string

    The real problem with this situation is that he wants to encrypt data and
    then put it into the Query String. If that data controls the functionality
    of the page, it doesn't matter whether it's encrypted or not. The URL will
    still invoke the functionality in the page that the Query String parameter
    specifies, regardless of the user's ability to understand it.

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    [url]http://www.takempis.com[/url]
    Big things are made up of
    lots of little things.

    "Munsifali Rashid" <mun**RemoveToReply**vefuk.com> wrote in message
    news:uooZEFSUDHA.1992TK2MSFTNGP12.phx.gbl...
    > It's generally a bad idea to send any sensitive data using the
    querystring,
    > for security purposes.
    >
    > You'll need to encrypt using the System.Security.Cyptography classes.
    What
    > you can do is use RC4 encryption to encrypt your string, and then convert
    it
    > to Hex so it can safely be passed in the querystring.
    >
    > I've done this in classic ASP, but haven't got round to converting it to
    > .net yet, so unfortunately I don't have a code sample. If you'd like to
    see
    > the classic ASP version, let me know.
    >
    > Hope this helps,
    >
    > Mun
    >
    >
    >
    >
    > "Onur Bozkurt" <onur.bozkurt▀ofthome.net> wrote in message
    > news:OzJbesRUDHA.1588TK2MSFTNGP11.phx.gbl...
    > > I'am sending some data by the querystring. But I don't want it to be
    > > seen exactly because of security reasons. Is there a way to encrypt it
    > > and later decrypt when reading the querystring...?
    > > I would be very happy with some sample code.
    >
    >

    Kevin Spencer Guest

  4. #4

    Default Re: encrypting query string

    I couldn't understand what exactly you wan't to say because of my poo
    english. You mean is it still unsecure.?
    Is there a way to do this in a more secure way...?

    Kevin Spencer wrote:
    > The real problem with this situation is that he wants to encrypt data and
    > then put it into the Query String. If that data controls the functionality
    > of the page, it doesn't matter whether it's encrypted or not. The URL will
    > still invoke the functionality in the page that the Query String parameter
    > specifies, regardless of the user's ability to understand it.
    >
    >
    Onur Bozkurt Guest

  5. #5

    Default Re: encrypting query string

    It would be better to store sensitive information on the server, and avoid
    it going out to the client in any way whatsoever.

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    [url]http://www.takempis.com[/url]
    Big things are made up of
    lots of little things.

    "Onur Bozkurt" <onur.bozkurt▀ofthome.net> wrote in message
    news:u12WaMTUDHA.3640tk2msftngp13.phx.gbl...
    > I couldn't understand what exactly you wan't to say because of my poo
    > english. You mean is it still unsecure.?
    > Is there a way to do this in a more secure way...?
    >
    > Kevin Spencer wrote:
    >
    > > The real problem with this situation is that he wants to encrypt data
    and
    > > then put it into the Query String. If that data controls the
    functionality
    > > of the page, it doesn't matter whether it's encrypted or not. The URL
    will
    > > still invoke the functionality in the page that the Query String
    parameter
    > > specifies, regardless of the user's ability to understand it.
    > >
    > >
    >

    Kevin Spencer Guest

  6. #6

    Default Re: encrypting query string

    You are assuming the program will understand the querystring and will be
    able to decrypt it and run the logic.

    But if the key is in the session variable, then a new person, even with the
    url, would not be able to run the program because the server would unable to
    decrypt the info without the key in the session variable.

    It does not matter if the user can/cannot understand the querystring. If
    the server cannot understand the querystring at a later time, then the
    problem is solved, no?

    Would this work?


    "Kevin Spencer" <kevintakempis.com> wrote in message
    news:OlC99zUUDHA.1556TK2MSFTNGP10.phx.gbl...
    > Here's the thing (thought I explained it earlier!) - The query string is
    > used to pass information to the page that will enable or run some
    > functionality in that page. Regardless of whether the user can understand
    > the query string or not, all he/she needs to do is to paste the URL with
    the
    > query string into his/her browser, and voila! the page is run.
    >
    > --
    > HTH,
    >
    > Kevin Spencer
    > Microsoft MVP
    > .Net Developer
    > [url]http://www.takempis.com[/url]
    > Big things are made up of
    > lots of little things.
    >
    > "Tarren" <noemailplease> wrote in message
    > news:eQU3hOUUDHA.3796tk2msftngp13.phx.gbl...
    > > Could you do this?
    > >
    > > Encrypt the query string and store the private key as a session
    variable?
    > > so copying the querystring from the url bar and pasting in a new session
    > > would be useless since there would be no key to decrypt it and it would
    > just
    > > read as garbage text?
    > >
    > > I am assuming here that the requirement is that this data must be in a
    > query
    > > string. Could the above approach work? Anyone have experience with
    > > something of that nature?
    > >
    > >
    > >
    > > "Onur Bozkurt" <onur.bozkurt▀ofthome.net> wrote in message
    > > news:u12WaMTUDHA.3640tk2msftngp13.phx.gbl...
    > > > I couldn't understand what exactly you wan't to say because of my poo
    > > > english. You mean is it still unsecure.?
    > > > Is there a way to do this in a more secure way...?
    > > >
    > > > Kevin Spencer wrote:
    > > >
    > > > > The real problem with this situation is that he wants to encrypt
    data
    > > and
    > > > > then put it into the Query String. If that data controls the
    > > functionality
    > > > > of the page, it doesn't matter whether it's encrypted or not. The
    URL
    > > will
    > > > > still invoke the functionality in the page that the Query String
    > > parameter
    > > > > specifies, regardless of the user's ability to understand it.
    > > > >
    > > > >
    > > >
    > >
    > >
    >
    >

    Tarren Guest

  7. #7

    Default Re: encrypting query string

    Let me explain it from the beginning.

    This is an e-commerce site without a ssl certificate. So when the user ready
    to give his/her credit card number I will redirect the user to a new
    web-site with a ssl certificate.
    This wasn't my choice but it should be in this way and can't be changed.

    So when redirecting the user I should send the orderid, userid, amount will
    be paid,.... to the new page. But I don't want these values to be seen
    clearly.




    Onur Bozkurt Guest

  8. #8

    Default Re: encrypting query string

    Definitely do-able. You could encrypt a string using a private key, and
    then hex the value (as often, encrypted strings are non-ascii, and you'll
    end up with a very messy URL). Pass the hex in your querystring, and then
    decrypt it on the other end. The querystring is encrypted, so if the user
    messes with it, the server will simply be unable to decipher it on the
    receiving end and discard it.

    I've converted a class I wrote in class ASP to do this, to ASP.NET (though
    it's not using the new security classes, yet). If you're interested in
    this, drop me a line.

    Mun




    "Tarren" <noemailplease> wrote in message
    news:utl5xwVUDHA.2192TK2MSFTNGP09.phx.gbl...
    > You are assuming the program will understand the querystring and will be
    > able to decrypt it and run the logic.
    >
    > But if the key is in the session variable, then a new person, even with
    the
    > url, would not be able to run the program because the server would unable
    to
    > decrypt the info without the key in the session variable.
    >
    > It does not matter if the user can/cannot understand the querystring. If
    > the server cannot understand the querystring at a later time, then the
    > problem is solved, no?
    >
    > Would this work?

    Munsifali Rashid Guest

  9. #9

    Default Re: encrypting query string

    Why not post the form directly to the SSL site?

    Alternatively, break your order into two steps. The first when the order is
    written to the database on your end, and then have a form with a bunch of
    hidden fields with the Order ID, User ID, Amount, etc and a submit button to
    the SSL Site saying something like "Click here to pay securely with your
    credit card".

    The form would be submitted to the SSL site, which could use it as required,
    and the user would be able to enter their credit card details to complete
    the transaction.

    If you need to do it without user interaction - i.e. you cant implement the
    above scenario where the user has to click a button, then you could, from
    code dynamically build a form with hidden fields containing the data you
    need to pass across to the SSL site, and then use JavaScript to
    automatically post this form.

    Hope this helps,

    Mun





    "Onur Bozkurt" <destekhementeknoloji.com> wrote in message
    news:eflkQybUDHA.1196TK2MSFTNGP10.phx.gbl...
    > Let me explain it from the beginning.
    >
    > This is an e-commerce site without a ssl certificate. So when the user
    ready
    > to give his/her credit card number I will redirect the user to a new
    > web-site with a ssl certificate.
    > This wasn't my choice but it should be in this way and can't be changed.
    >
    > So when redirecting the user I should send the orderid, userid, amount
    will
    > be paid,.... to the new page. But I don't want these values to be seen
    > clearly.

    Munsifali Rashid Guest

Similar Threads

  1. query string
    By nkaf in forum Macromedia Flash Data Integration
    Replies: 1
    Last Post: October 13th, 11:25 AM
  2. Replies: 1
    Last Post: February 27th, 12:04 AM
  3. Replies: 3
    Last Post: September 9th, 05:17 PM
  4. # in string/datetime SQL query
    By Eric Bobo in forum ASP Database
    Replies: 0
    Last Post: August 22nd, 03:31 PM
  5. Using NOT LIKE in Query String????
    By David Lozzi in forum ASP Database
    Replies: 18
    Last Post: August 12th, 01:19 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139