views:

471

answers:

3

Title I hope says it all: How do I encrypt query strings in aspx.net?

P.S. I realize that this does not offer security. I'm just looking to obfuscate a puzzle.

P.P.S Though I marked CKret's answer as the correct one (for the question as worded I believe his is the most correct answer). However, for myself, I'm just going to try ChoasPandion's alternative to encryption. If I needed more security I'd look at CKret's or Ian's. Thank you all.

+6  A: 

A blog post by Mads Kristensen about Query String encryption.

Beware of one thing though: He uses PasswordDeriveBytes within the Encrypt method. It has been replaced by Rfc2898DeriveBytes. If you only need to encrypt the query string and not every link on the page this is fine. If you however want to encrypt every link too you'll want to add a Rewriter to encrypt those query string too.

Doing so will have a substantial impact on performance if you have many links on your pages. What you would want to do is lift out the PasswordDeriveBytes/Rfc2898DeriveBytes from the encrypt/decrypt methods and store the key and IV instead of the password and salt.

Edit:
I've published a blog post on this issue here.

Sani Huttunen
Good link. Whoever follows it should read the comments for more info.
Chris Lively
+1  A: 

Don't bother encrypting it. Just convert it to a base 64 string.

string encoded = Convert.ToBase64String(Encoding.Unicode.GetBytes(myQueryStringValue));
ChaosPandion
Note that this solution doesn't offer security - only obfuscation. (Security by obscurity is not). However, in the OP's case it seems like he's mostly interested in obfuscation, rather than security, so this would probably be a good solution, as long as you UrlEncode to the returned string.
Anderson Imes
That is why I posted this answer. If he really needs security this would be a poor answer.
ChaosPandion
+1  A: 

If you trying to hide your product Id's and things like that, then why not just use Encryption?

I guess what you want to do, is to stop people editing the query string to get different results. The simple way to do this, is to add a Hash of the query string to the query string, and have some base-page functionality check that the hash is correct for the request, identifing tampered query strings.

See Prevent query string manipulation by adding a hash?

Dead account