4

I have a URL www.site-address/site-page/page1.aspx?username=deepu&password=deepu how can i change the URL to www.site-address/site-page/page1.aspx?username=232322323232&password=2323232322323 ie i want to encrypt the fields i pass through the URL please help me to encrypt and decrypt the URL in C# using .net,now i am using response.redirect and pass these values as query string....pls help....

deepu
  • 1,993
  • 6
  • 42
  • 64
  • 11
    and breathe....punctuation is your friend. – David Neale Jun 03 '10 at 13:16
  • 1
    I'd like to know too. Not that I'd do it like this, but how exactly does "session" work? – Daren Thomas Jun 03 '10 at 13:18
  • 3
    Raise your hand if as a user you would feel comfortable seeing your username and password in the URL? Even supposedly "encrypted?" Anyone? – Anthony Pegram Jun 03 '10 at 13:19
  • 1
    Possible dupes http://stackoverflow.com/questions/1492878/how-to-encrypt-query-strings-in-aspx-net/1492927#1492927 and http://stackoverflow.com/questions/240713/how-can-i-encrypt-a-querystring-in-asp-net – Sani Huttunen Jun 03 '10 at 13:19

4 Answers4

9

It will not work in the way you want but yes encryption is possible as by below mentioned ways

Encryption page:

string id1 = "id1";

Response.Redirect("decryptionPage.aspx?id1=" + HttpUtility.UrlEncode(Encrypt(id1)));

private string Encrypt(string stringToEncrypt)
{
        byte[] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
        byte[] rgbIV = { 0x21, 0x43, 0x56, 0x87, 0x10, 0xfd, 0xea, 0x1c };
        byte[] key = { };
        try
        {
            key = System.Text.Encoding.UTF8.GetBytes("A0D1nX0Q");
            DESCryptoServiceProvider des = new DESCryptoServiceProvider();
            MemoryStream ms = new MemoryStream();
            CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(key, rgbIV), CryptoStreamMode.Write);
            cs.Write(inputByteArray, 0, inputByteArray.Length);
            cs.FlushFinalBlock();
            return Convert.ToBase64String(ms.ToArray());
        }
        catch (Exception e)
        {
            return e.Message;
        }
}

Decryption page:

string getId1 = Convert.ToString(Request.QueryString["id1"]);
var qs = Decrypt(HttpUtility.UrlDecode(getId1));
private string Decrypt(string EncryptedText)
{
        byte[] inputByteArray = new byte[EncryptedText.Length + 1];
        byte[] rgbIV = { 0x21, 0x43, 0x56, 0x87, 0x10, 0xfd, 0xea, 0x1c };
        byte[] key = { };

        try
        {
            key = System.Text.Encoding.UTF8.GetBytes("A0D1nX0Q");
            DESCryptoServiceProvider des = new DESCryptoServiceProvider();
            inputByteArray = Convert.FromBase64String(EncryptedText);
            MemoryStream ms = new MemoryStream();
            CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, rgbIV), CryptoStreamMode.Write);
            cs.Write(inputByteArray, 0, inputByteArray.Length);
            cs.FlushFinalBlock();
            System.Text.Encoding encoding = System.Text.Encoding.UTF8;
            return encoding.GetString(ms.ToArray());
        }
        catch (Exception e)
        {
            return e.Message;
        }
}
Bo Persson
  • 90,663
  • 31
  • 146
  • 203
Ankur Bhutani
  • 3,079
  • 4
  • 29
  • 26
  • 1
    I was looking for a similar question and came across your code. It works perfectly fine, but the `Encrypt` method generates characters which are replaced with a space when added to the URL (for example `+`). So, the `Decrypt` method will not work as I expect. Any ideas to solve it?? – Yalda Sep 22 '13 at 06:34
5

Your approach is flawed and encrypting will not really help the underlying problem. If you go out across the 'net you will rarely (should never) see a pattern like what you are describing, even if it is encrypted.

Instead you should store the user credentials as securely as possible on the server and pass a unique, short-lived session token in the querystring that you can use to look up the credentials.

As for storing securely on the server, once you've receive the user's password the first time, you should use a one-way hash, like SHA256, with a salt. You can pass this value wherever, store it, and to validate compare the has of a potential password to the hash you have stored. Treat a user's password like toxic waste - throw it away as quickly as possible. You want to be in the password storing business about as badly as you want to be in the toxic waste storing business.

(Answered from my iPhone, links forthcoming or if someone wants to help me out! :))

Rex M
  • 142,167
  • 33
  • 283
  • 313
  • thanks for answering,,,i need to pass some data to another page.. if im passing through url,,i don't want client to see the filed values..any encrypted form is possible ..i didn't meant i want this form... – deepu Jun 03 '10 at 13:26
  • 1
    @deepu the answer is "don't do that". It's extremely dangerous. – Rex M Jun 03 '10 at 13:29
  • okz..then how can i pass some values to another page... other than server.transfer method.. – deepu Jun 03 '10 at 13:36
  • @deepu as I said in my answer - store the credential information in a database, or session, or some other location on the server and pass a token ID through the querystring instead - on the destination page use the token to go look up the info again. – Rex M Jun 03 '10 at 14:51
  • 2
    +1 for "You want to be in the password storing business about as badly as you want to be in the toxic waste storing business." – Daniel Pryden Jun 03 '10 at 20:18
3

Do you really want to do this? If you bother with usernames and passwords, presumably there is some value to the information or functionality you provide. With URL parameter passing, you leave a number of attack surfaces wide open (not least replay attacks where anyone can impersonate your users.

What are you really trying to do, and why can't you use what's provided in ASP.NET?

Pontus Gagge
  • 17,166
  • 1
  • 38
  • 51
  • I agree. It is very bad form to store the credentials in the query string, even if it is encrypted. It would be very easy for someone to intercept the query string and impersonate the user. – J.Hendrix Jun 03 '10 at 13:30
  • yh...i need to pass some data to another page.. if im passing through url,,i don't want client to see the filed values..thatz all i thought abt encrypting the values and passing is that possible...any simple method there... – deepu Jun 03 '10 at 13:32
  • 1
    You don't have to pass the username/password along! Heard about sessions? This is handled automatically for you if you just look at what MSFT recommends. Do take a look at standard ASP.NET authentication mechanisms, I urge you! – Pontus Gagge Jun 03 '10 at 14:23
2

Why don't you post the values instead of using the querystring? With SSL atleast no one would see the password encrypted or otherwise. Additional passwords in URL don't provide any security. It is like scattering keys to your house all over the neighborhood and hoping that no-one will try them to open your house.

Basically it is a flawed premise. Urls are cached in many ways so it makes sense not to put passwords in them.

However you are not alone in putting passwords in a URL. Check this out

http://support.microsoft.com/kb/135975

ggonsalv
  • 1,264
  • 8
  • 18
  • Yes,Of course you should use post method when you have to send passwords from one page to other, it can be used in the situation when you are using some values in the page based on the querystring. – Ankur Bhutani May 02 '14 at 06:46