Encrypt the querystring in C#.net

Question

string emailfield=txtEmail.Text.ToString();
string url = 
   "http://localhost:3076/user/Authenticate-Users.aspx?email="+emailfield;

I want to encrypt the querystring and then decrpyt. Is there any way to do this in C#?

Thanks

The best solution is to just host the service over HTTPS. Failing that: who's going to decrypt the email address? Do you want to use symmetric or asymmetric encryption? — Chris Wenham, Mar 15 '11 at 17:47
As Wenham suggests, you might be looking for the wrong solution. If you can explain why you want to encrypt and then decrypt your message, then you are likely to get a far better answer. — Kimball Robinson, Mar 15 '11 at 17:49
See http://stackoverflow.com/questions/2966255/how-to-encrypt-decrypt-the-url-in-c or http://stackoverflow.com/questions/240713/how-can-i-encrypt-a-querystring-in-asp-net or http://stackoverflow.com/questions/1492878/how-to-encrypt-query-strings-in-aspx-net/1492927#1492927 — SwDevMan81, Mar 15 '11 at 17:49
Are you authenticating a use solely based on email address? That's rediculous. You need to incorporate a password in there somewhere. Also, I fixed your spelling. ["dis" isEqualToString:@"this"] != true; — FreeAsInBeer, Mar 15 '11 at 17:50
there is a page wherein i authenticate the users, users come this url only if they have entered valid emailid but knowing the url. after coming on this url database entry is made against the user that his/her emailid is validated but without clicking on the activation link some mt just use the url and embed der emailid and check for validation i have taken all the steps to avoid dos but client want is encypted querystring can i do it in c sharp i want 64 bit encryption — abhijit, Mar 15 '11 at 17:53
@freeasinbeer dis is just part of a page not login or wateva v are fine with the email friend v are following dis: there is one page on which he enters his id on doing so if email is valid he receives a mail in which there is one activation link he is directed towards dat url which includes the querystring — abhijit, Mar 15 '11 at 17:55
-1 for not even attempting to properly use the English language. — FreeAsInBeer, Mar 15 '11 at 17:58
fyi, 64bit "encryption" is no more safe than just using XOR. It can be broken in minutes. Someone else mentioned using GUIDs that map to email addresses. That sound like what you're looking for. — Bengie, Mar 15 '11 at 18:36

Jonathan Wood · Accepted Answer · 2012-02-06T14:56:37.840

7

You can encrypt a name/value collection to a string, and then just pass that encrypted string as a single query argument.

I demonstrate this technique in an article, Encrypting Query Arguments.

edited Feb 06 '12 at 14:56

answered Mar 15 '11 at 17:57

Jonathan Wood

65,341
71
269
466

but the key is constant, it will not make the webpage secure. The key need to be a secure random key. – Nayef Dec 09 '14 at 11:30
@Nayef: That is an option. But it is incorrect to say it *needs* to be done that way. – Jonathan Wood Dec 09 '14 at 16:01

score 2 · Answer 2 · answered Mar 15 '11 at 17:49

2

Since encrypted data will most likely contain special characters it must be base64-encoded or similar.

You can find a encode / decode class that does the dirty work for you. Many of them out there. Here is one example.

answered Mar 15 '11 at 17:49

Tedd Hansen

12,074
14
61
97

Tedd is right. Once you have an encrypted value and you then want to use this in the URL somewhere (like query string argument), you'll need to convert the "special characters" so that they can be used in the URL. Typically this is then base 64 encoded. Just search on how to Base64 encode it. – Jaans Jan 08 '13 at 05:59

score 0 · Answer 3 · answered Mar 15 '11 at 17:51

Possibly looking for Server.UrlEncode?

The URLEncode method applies URL encoding rules, including escape characters, to a specified string.

(Just in case you were too specific with "encrypt", otherwise others have good answers regarding protecting the string's value.)

score 0 · Answer 4 · answered Mar 15 '11 at 18:04

0

A simpler solution could be to store a GUID along with the user account when it is created. You could call it VerificationCode, for example. When you create the user account, you randomly store a GUID with it, 120a9c10-4f2e-11e0-b8af-0800200c9a66 for example.

Now, in the activation link, you embed the GUID instead of the email address: http://localhost:3076/user/Authenticate-Users.aspx?code=120a9c10-4f2e-11e0-b8af-0800200c9a66

When the page executes, it looks up the user by the GUID to mark that the account has been confirmed.

answered Mar 15 '11 at 18:04

Joel Beckham

18,254
3
35
58

1

@Beckham, as far as I know, GUIDs are not cryptographically secure or unique. Wikipedia quote: "Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random, given full knowledge of the internal state, it is possible to predict previous and subsequent values..." http://en.wikipedia.org/wiki/Globally_Unique_Identifier --- so it's probably better to use a hash function such as SHA-2 (see http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256.aspx) – Kimball Robinson Mar 15 '11 at 18:25
If the Guid is stored in the database with unique constraint this will not be a problem. What's the purpose to crypt the email ? you can perhaps predict subsquent values but you can do validation in the HTTP POST http://stackoverflow.com/a/13355076/1288063 – riadh gomri Mar 25 '13 at 13:20

Encrypt the querystring in C#.net

4 Answers4