0

My site is in asp.net 3.5 and C#. I am sending link to my user through mail, now I want to send each user a specific URL. So instead of sending the clear text I want to send link with encrypted string URL, which I will decrypt on my home page. Like instead of www.mysite.aspx\mypage?userId=12 I'll send www.mysite.aspx\mypage?UserId=)@kasd12 and the same I'll decrypt on my page so that I'll get the userId = 12.

Please let me know if my approach is correct and not and how can I encrypt & decrypt the string in simplest and easier manner.

Nalaka526
  • 11,278
  • 21
  • 82
  • 116
Zerotoinfinity
  • 6,290
  • 32
  • 130
  • 206
  • 1
    possible duplicate of [Simple 2 way encryption for C#](http://stackoverflow.com/questions/165808/simple-2-way-encryption-for-c) or [Encrypt/Decrypt string in .NET](http://stackoverflow.com/questions/165808/simple-2-way-encryption-for-c) – Jørn Schou-Rode May 29 '10 at 16:38
  • @Jørn Thanks, I've deleted my suggestion to use a GUID. This thread was the clincher! http://stackoverflow.com/questions/643445/how-easily-can-you-guess-a-guid-that-might-be-generated – Martin Smith May 29 '10 at 17:03

3 Answers3

2

isn't it more appropiate to generate a temporary access key?

Tim Mahy
  • 1,319
  • 12
  • 28
  • 1
    With > 50 reputation points, you should be able to post this kind of follow-up questions as comments to the question rather than as a void answer :) – Jørn Schou-Rode May 29 '10 at 16:41
  • 1
    @Jørn I'd say that is a valid answer. The OP asks "Please let me know if my approach is correct" – Martin Smith May 29 '10 at 16:43
  • 2
    this is an answer on "Please let me know if my approach is correct". Only I'm not saying he should use the more common approach of generating unique "hard-to-guess" access codes, I'm trying to let him think about wether this is what he really wants.... security through obscurity is always a bad thing btw :) – Tim Mahy May 29 '10 at 16:45
1

I'm pretty sure this code project page is what your after. Its basically a HttpModule that can be used to encrypt querystrings.

Riain McAtamney
  • 6,342
  • 17
  • 49
  • 62
1

Generate a random string value instead of encryption/decryption :) And make it at least 6 or 7 characters long. Store the the value in the database and once the value is received through a query string, run a SQL query to do whatever for the corresponding row :)

Page_Load()

string x = Request.QueryString["UserID"];

SqlCommand x = new SqlCommand("UPDATE UserTable SET UserStatus='Activated' WHERE RandomKey='x'", connection);
Ranhiru Jude Cooray
  • 19,542
  • 20
  • 83
  • 128
  • Rather than a 6 or 7 character string, use a Guid. – Ben Robinson May 29 '10 at 17:47
  • @Ben - I had the same bright idea only to discover that it wasn't so bright! http://stackoverflow.com/questions/643445/how-easily-can-you-guess-a-guid-that-might-be-generated – Martin Smith May 29 '10 at 17:57
  • 1
    Just because guids are not crypto graphically secure does notmean they are not fit for this purpose. They are not suitable to use as a cryptograhpic key as they could as the data could be decrypted by generating millions of likely guids. This atack is not feasable in the context of a querystring key as you would have to make millions of http requests in a short period of time – Ben Robinson May 29 '10 at 18:16