Encypting query string in Asp.Net

When you pass information from one page to another, you are passing information that anybody can sniff. For example consider a scenario, in which you pass the customer id as a query string:

http://www.yourapplication.com?customer_id=15

Now if somebody replaced 15 with say 10 or any other number, they can pull up other customer information. And that’s bad for security.

One solution to this problem is to use encryption using a secret key. So lets use a hard-to-crack 8 byte key like $zm0!qp?

To accomplish this here is a code snippet

using System;
using System.IO;
using System.Xml;
using System.Text;
using System.Security.Cryptography;

public class Encryption64
{
    private byte[] key = {};
    private byte[] IV = {18, 52, 86, 120, 144, 171, 205, 239};

    public string Decrypt(string stringToDecrypt, string sEncryptionKey)
    {
		byte[] inputByteArray = new byte[stringToDecrypt.Length + 1];
		try
		{
			key = System.Text.Encoding.UTF8.GetBytes(sEncryptionKey, 8);
			DESCryptoServiceProvider des = new DESCryptoServiceProvider();
			inputByteArray = Convert.FromBase64String(stringToDecrypt);
			MemoryStream ms = new MemoryStream();
			CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write);
			cs.Write(inputByteArray, 0, inputByteArray.Length);
			cs.FlushFinalBlock();
			System.Text.Encoding encoding = System.Text.Encoding.UTF8;
			return encoding.GetString(ms.ToArray());
		}
		catch (Exception e)
		{
			return e.Message;
		}
    }

    public string Encrypt(string stringToEncrypt, string sEncryptionKey)
    {
		try
		{
			key = System.Text.Encoding.UTF8.GetBytes(sEncryptionKey, 8);
			DESCryptoServiceProvider des = new DESCryptoServiceProvider();
			byte[] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
			MemoryStream ms = new MemoryStream();
			CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(key, IV), CryptoStreamMode.Write);
			cs.Write(inputByteArray, 0, inputByteArray.Length);
			cs.FlushFinalBlock();
			return Convert.ToBase64String(ms.ToArray());
		}
		catch (Exception e)
		{
			return e.Message;
		}
    }
}

The end user will get to see a random text in the query string, something like

http://www.yourapplication.com/Receive.aspx?key=a2f5ckj?h79#8dd3

Remember stay secure stay safe.

asp.net, c#

Print article

Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (0)

No comments yet.

No trackbacks yet.

NOLOCK in LINQ

about 4 months ago - No comments

The NOLOCK table hint, also known as READUNCOMITTED, is applicable to SELECT statements only. NOLOCK indicates that no shared locks are issued against the table that would prohibit other transactions from modifying the data in the table. The most recommended way of implementing NOLOCK is to use a TransactionScope to affect the TransactionOptions associated with

Random Row – Linq to SQL

about 5 months ago - No comments

You can retrieve a random data record from an SQL database through LINQ using a User Defined Function. We can implement the above in a partial class for the target context. partial class MyTargetContext { [Function(Name="NEWID", IsComposable=true)] public Guid Random() { throw new NotImplementedException(); } } In the above example which returns a uniqe identifier

ObjectTrackingEnabled – LINQ

about 6 months ago - No comments

You may come across a requirement, where you will retrieve data only for reading. LINQ monitors the changes, which as you might have guessed is the not the best solution everywhere, especially in the above scenario. Here is a quick tip to increase the performance by disabling object tracking in LINQ using the ObjectTrackingEnabled property.

Multiline TextBox Length Validation

about 1 year ago - No comments

Unlike the normal TextBox, the MaxLength property doesnt work for MultiLine TextBox. Heres a small trick to solve the problem: <asp:TextBox ID="txtExample" runat="server" TextMode="MultiLine" /> <asp:RegularExpressionValidator ID="revExample" runat="server" ControlToValidate="txtExample" ValidationExpression="[\s\S]{1,200}" Display="Dynamic" ErrorMessage="Length cannot be greater than 200 characters" /> The above markup validates the revExample TextBox / textarea and limits the max characters to 200.

vCalendar – C# Implementation

about 1 year ago - No comments

I needed to integrate support for vCalendar in my current project. So i went through the vCalendar spec 1.0 at http://www.imc.org/pdi/vcal-10.txt and wrote this class. Although I have not implemented all the specification features, but this should prove sufficient for the usual requirements. If you have any comments / suggestions , let me know. using

An anonymous type cannot have multiple properties with the same name

about 1 year ago - No comments

If you are using LINQ and have a query that looks something like this : var myUser = (from user in dbContext.Users join comp in dbContext.Companies on user.CompanyID equals comp.CompanyID where user.UserID == “12345″ select new {user.UserID, user.Name, comp.Name}).SingleOrDefault(); string _userID = myUser.UserID; string _userName = myUser.Name; string _companyName = myUser.Name; In the above code,

Asp.Net Read Reciept Request

about 1 year ago - No comments

Here’s a quick tip. If you need to include a request for read receipt like Microsoft Outlook while sending mails through Asp.net, just add the Disposition-Notification-To Header to the MailMessage. The MailMessage class does not have a corresponding attribute and thus it has to be set through the Header. MailMessage mm = new MailMessage(fromAddress, toAddress);

Generic Handler – Session State

about 1 year ago - No comments

In my current project I needed to access the Session state in a Generic Handler. To my dismay, i realized that the Session StateBag was null. The StateBag class is sealed and manages the Viewstate of the Asp.net server controls and pages. Upon discussion with my colleague, Mr. Hamed, we found the solution to my

Asp.Net Reset Password

about 2 years ago - No comments

If you are using Membership Provider in your ASP.net application, you might come across a scenario in which you need to have both Security Question and Answer feature and would also like to pro-grammatically reset the password for an account. So if you run the code string username = “user”; string password = “password”; MembershipUser

Tags

asp.net c# css freebie google javascript jQuery linq mysql open source php sql tools visual studio wordpress
WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.
My Tweeets

Loading tweets...

Follow me on Twitter!
User Login

User

Password

Remember me
- Lost your password?
Accounts

Encypting query string in Asp.Net

No comments yet.

No trackbacks yet.

Tags

My Tweeets

User Login

Accounts