3

I was wondering how you could encrypt/decrypt your querystring in a simple asp.net page? some values need to be passed between different pages but the querystring cannot be changed or read.

Some say httphandles could be the solution for this.

Any thoughts?

MORE BACKGROUND INFO:

hi thx for all the comments. this is the problem, sometimes the sessions disappear without any reason (well there must be one but I don't know it yet). I've looked into the possible reasons but nothing that could cause it is happening. Therefore I cannot rely on it anymore. The cookie solution is a possibility but it will be more work to implement than simply using the querystring. The url can be copied at any time just not changed!

Cheers, M.

user29964
  • 15,740
  • 21
  • 56
  • 63
  • 2
    This is a Really Bad Idea. If you need to pass values to different pages, why not use a Postback, or a value in the database. Encrypting the query string results in ugly URLs and isn't foolproof. – George Stocker Jun 07 '10 at 13:14
  • 1
    This does smell all over of "bad plan". I really think you may have the wrong architecture. Can you keep this information server-side? You really shouldn't be transferring sensitive information in this way, encrypted or not. Perhaps you can expand on how you think "sessions are unreliable". Maybe you could tell us a use case that you feel this construct provides a solution to. – Cheekysoft Jun 07 '10 at 13:38
  • 1
    ++ to using a cookie. avoids the session timeout problem you seem to be concerned about below. The only thing you get with what you're trying to do above is your URLs will be copy/paste-able, which you may/may not want. Cookies are tied to a particular machine. Do you want the URL to be sendable via email/IM/etc? The querystring would be your only option if that were the case. – Tim Coker Jun 07 '10 at 13:39

4 Answers4

2

You'll have to encrypt it manually using one of the .Net encryptions. Really this isn't what the query string is for. If you don't want the users to be able to access it, you should find a different way of passing it between pages.

Here is a project that will show you how to do symmetric encryption. http://www.codeproject.com/KB/security/SimpleEncryption.aspx

Dare I mention this, because it will create significant overhead, but you can post your information in the view state and use cross page posts to pass the information around:

http://www.velocityreviews.com/forums/t119789-view-state-in-previous-page-using-cross-page-postback.html

kemiller2002
  • 113,795
  • 27
  • 197
  • 251
  • yeah i know but sessions aren't reliable. i really have no more idea on how to pass the values. – user29964 Jun 07 '10 at 13:07
  • 1
    Dude. Sessions ARE perfectly reliable. ViewState however doesn't actually use sessions, just a hidden HTML form field. Not that it would help you, given that it's lost between different pages. – tomfanning Aug 04 '11 at 17:48
2

I needed to do this and just for reference this was my chosen solution.

Use a HTTPModule to encrypt and decrypt. Then just put the module in the web.config.

Found it here: https://madskristensen.net/blog/httpmodule-for-query-string-encryption/

From the article:

What we need is an HttpModule that can turn the encrypted query string into a normal readable one, so that we can still use our old logic like Request.QueryString["user"]. In other words, we want the user to see this

?enc=VXzal017xHwKKPolDWQJoLACDqQ0fE//wGkgvRTdG/GgXIBDd1

while your code sees this

?user=123&account=456.

Sample code in the article has the module you would add.

Community
  • 1
  • 1
Mike Mengell
  • 2,310
  • 2
  • 21
  • 35
1

How about adding the value you need to the Viewstate? Viewstate can encrypted and validated for you.

ViewState["myKey"] = "myValue";

and then later

string myValue = ViewState["myKey"]

To enable encryption:

<%@Page ViewStateEncryptionMode="Always" %>

or

<configuration>
   <system.web>
      <pages ViewStateEncryptionMode="Always" />
   </system.web>
</configuration>
Paul Kearney - pk
  • 5,435
  • 26
  • 28
0

Here is a project that will show you how to do symmetric encryption. http://www.codeproject.com/KB/security/SimpleEncryption.aspx

Dare I mention this, because it will create significant overhead, but you can post your information in the view state and use cross page posts to pass the information around:

http://www.velocityreviews.com/forums/t119789-view-state-in-previous-page-using-cross-page-postback.html

Kanwar Singh
  • 908
  • 12
  • 21