1

At the moment I'm creating an online exam, and I need to pass a tiny bit of information from one page to another via the URL.

At the moment i current have this:

Response.Redirect("Home.aspx?uName=" + txtUserName.Text);

Which goes to the home page with the users UserName in it which is then picked up and information gets loaded. But what I want to do is some how encrypt that UserName so the user can't play around with it nor can they guess what it is. Is there a way of doing this?

Julian
  • 20,008
  • 17
  • 77
  • 108
Code Ratchet
  • 5,758
  • 18
  • 77
  • 141
  • Why don't you encrypt it and then decrypt it? This might be helpful to you: http://www.obviex.com/samples/hash.aspx – wegelagerer Apr 22 '12 at 10:26
  • 4
    oh god. I'd start looking at sessions and cookies mate. – Spence Apr 22 '12 at 10:27
  • See i was going to use Sessions, but i have noticed when i go on sites and login etc the information is encrypted so i assumed that was the correct way of doing it – Code Ratchet Apr 22 '12 at 10:28
  • Well, session or cookies is not the solution if he need a contextual Url ; ie. an url which can be bookmarked or recalled whatever the context is. – JoeBilly Apr 22 '12 at 11:02

2 Answers2

3

do not use that.

use Session instead.

and if you really need by URL , so encrypt(password encryption) data and encode it with Base64 (encode to transferreable chars) ( dont forget to encrypt also the '+' sign since Base 64 does use it but browsers think its a space...)

Royi Namir
  • 144,742
  • 138
  • 468
  • 792
  • 1
    Base64 is reversible and doesn't add any security! – SimSimY Apr 22 '12 at 10:42
  • @TheSimon I didnt say that Base64 is adding security !! i said it is a format which can be send in URL ! `encrypt data and(!!) encode it with Base64` – Royi Namir Apr 22 '12 at 10:43
  • Yup but TheSimon comment is usefull. Its always good to point out that Base64 is encoding and not encryption ;) – JoeBilly Apr 22 '12 at 11:07
2

A simple solution would be to take the answer from this question: Encrypt and decrypt a string and do something like this:

Response.Redirect("Home.aspx?uName=" + Server.UrlEncode(Crypto.EncryptStringAES(txtUserName.Text, "YourEncryptionKey"))

Then on your next page, just reverse the process to get the value back out like so:

var username = Crypto.EncryptStringAES(Request["uName"], "YourEncryptionKey")

But I would ask, why are you passing a username via a url? Would it not be better to use a membership provider and simply get the user to login? Then you can store any relevant information in a database tied to that user.

Community
  • 1
  • 1
ilivewithian
  • 19,476
  • 19
  • 103
  • 165
  • Actually the answer from that question makes a lot of crypto mistakes that it is easily defeatable in this context. Probably the easiest way to do this correctly with the built-in crypt, would be to use the Aes encryption with a random IV with that IV included in the URL AND then use HMAC on the encrypted result (with a second key) to compute an authenticated tag (also passed in the url) so that wouldn't even attempt to decrypt unless the hmac verifies. The better way to do this would be to use [bouncy castle](http://www.bouncycastle.org/csharp/)'s AES-GCM with random IV. – jbtule Apr 24 '12 at 21:21
  • I've added real code examples for both methods I mentioned as an answer to that question http://stackoverflow.com/a/10366194/637783 – jbtule Apr 29 '12 at 16:11