views:

204

answers:

3

Hi All,

My site is in asp.net 3.5 and C#. I am sending link to my user through mail, now I want to send each user a specific URL. so instead of sending the clear text I want to send link with encrypted string URL, which I will decrypt on my home page. Like instead of www.mysite.aspx\mypage?userId=12 i'll send www.mysite.aspx\mypage?UserId=)@kasd12

and the same i'll decrypt on my page so that I'll get the userId = 12.

Please let me know if my approach is correct and not and how can I encrypt & decrypt the string in simplest and easier manner.

Thanks in advance.

+2  A: 

isn't it more appropiate to generate a temporary access key?

Tim Mahy
@Tim: With > 50 reputation points, you should be able to post this kind of follow-up questions as comments to the question rather than as a void answer :)
Jørn Schou-Rode
@Jørn I'd say that is a valid answer. The OP asks "Please let me know if my approach is correct"
Martin Smith
this is an answer on "Please let me know if my approach is correct". Only I'm not saying he should use the more common approach of generating unique "hard-to-guess" access codes, I'm trying to let him think about wether this is what he really wants.... security through obscurity is always a bad thing btw :)
Tim Mahy
+1  A: 

I'm pretty sure this code project page is what your after. Its basically a HttpModule that can be used to encrypt querystrings.

Zaps
A: 

Generate a random string value instead of encryption/decryption :) And make it at least 6 or 7 characters long. Store the the value in the database and once the value is received through a query string, run a SQL query to do whatever for the corresponding row :)

Page_Load()

string x = Request.QueryString["UserID"];

SqlCommand x = new SqlCommand("UPDATE UserTable SET UserStatus='Activated' WHERE RandomKey='x'", connection);
Ranhiru Cooray
Rather than a 6 or 7 character string, use a Guid.
Ben Robinson
@Ben - I had the same bright idea only to discover that it wasn't so bright! http://stackoverflow.com/questions/643445/how-easily-can-you-guess-a-guid-that-might-be-generated
Martin Smith
Just because guids are not crypto graphically secure does notmean they are not fit for this purpose. They are not suitable to use as a cryptograhpic key as they could as the data could be decrypted by generating millions of likely guids. This atack is not feasable in the context of a querystring key as you would have to make millions of http requests in a short period of time
Ben Robinson