3

I want to encrypt a URL variable so that the user can't see or modify the information when it is passed in jsp.

This is an example URL:

localhost/somewebpage/name.jsp?id=1234&tname=Employee_March_2013

Here I want to encrypt or encode the parameters id and tname.

Could someone please help me write a short script that encodes / encrypts and then decrypts the parameters

EDIT:
I am sending this url as a attachment in email... when receiver clicks on this link their payslip information will displayed on the web page'

Dileep Kumar
  • 510
  • 1
  • 4
  • 19
  • what will make the password and seed a secret to the user but known/predictable to you? If you are not worried about the user, but some man-in-the-middle sniffing attack.. then.. same question.. – GitaarLAB May 30 '14 at 06:05
  • i am sending this url as a attachment in email....when receiver click on this link their payslip information will displayed on web page....suppose they modified the id value then there is no confidentiality in data....i mean they can see others data.. – Dileep Kumar May 30 '14 at 06:32
  • 'i am sending this url as a attachment in email' @DileepKumar: add this thing about the Email to your question, it is very relevant and changes some things that make my original comment to your question moot!!! Now it became a problem one can actually solve! – GitaarLAB May 30 '14 at 06:35
  • I took the liberty to update your question for you, saving others time POSTing (pun intended) an answer not relevant to you!! – GitaarLAB May 30 '14 at 07:07

4 Answers4

6

The best way to encode / decode in Base64 without using any third party libraries, you can use Using sun.misc.BASE64Encoder / sun.misc.BASE64Decoder. 

try  this snippet 



  String id="1234";
  byte[]   bytesEncoded = Base64.encodeBase64(id.getBytes());//encoding part
  String encoded_id=new String(bytesEncoded);


  String id1=request.getParameter("id");
  byte[] valueDecoded= Base64.decodeBase64(id1);//decoding part
  String decoded_id=new String(valueDecoded);

Send 'encoded_id' as a url parameter instead of passing 'id'

Sunil C K
  • 116
  • 5
0

Your question became solvable the moment we knew that you are 'sending this url as attachment in email... when receiver click on this link their payslip is confirmed'

That means there are 3 options: encrypting, hashing and using random string(s).

In this case I recommend the random strings (or hashing) instead of encrypting. The reason is 2-fold:

  • You are not sending out potentially private data (for google gmail to read, for example)
  • random string(s) (or hashing) is simpler, shorter and safer (for this case).

Assuming you have a database containing your user-data, then you'd generate a unique random string (or hash) for that specific user/transaction. Then you store this data (you could hash it again internally) together with or linked to your user-data.

Now you only send out the link with the random string(s)/hash that is uniquely linked to the user-data.

Have a look on SO for https://stackoverflow.com/search?q=[jsp]+hash
and please, for the love of [enter deity here], be sure you read Wikipedia about 'salt' etc.!!
You do not want to make mistakes with user-payments!

Now, make a choice, set it up and return with questions should you get stuck!

EDIT:
In fact.. instead of hashing, a completely 'random' (fixed length) unique string(s) is sufficient! Better yet: or two random strings, for a two-factor check: one string for identification, one for authentication.

Community
  • 1
  • 1
GitaarLAB
  • 14,536
  • 11
  • 60
  • 80
0

URLEncoder.encode(Encryption.encrypt(parameters), "UTF-8")

Rakesh Singh Balhara
  • 326
  • 1
  • 4
  • 13
-2

Always use POST method.

And even in POST method, user can see the id and can change it in browser console network tab.So that, user can see other's email attachment since you mentioned in your comment like that.

So, try to set id in jsp session and get the id in the java servlet code. it is really good practice.

user3662273
  • 544
  • 4
  • 10