I have a URL www.site-address/site-page/page1.aspx?username=deepu&password=deepu how can i change the URL to www.site-address/site-page/page1.aspx?username=232322323232&password=2323232322323 ie i want to encrypt the fields i pass through the URL please help me to encrypt and decrypt the URL in C# using .net,now i am using response.redirect and pass these values as query string....pls help....
+4
A:
Your approach is flawed and encrypting will not really help the underlying problem. If you go out across the 'net you will rarely (should never) see a pattern like what you are describing, even if it is encrypted.
Instead you should store the user credentials as securely as possible on the server and pass a unique, short-lived session token in the querystring that you can use to look up the credentials.
As for storing securely on the server, once you've receive the user's password the first time, you should use a one-way hash, like SHA256, with a salt. You can pass this value wherever, store it, and to validate compare the has of a potential password to the hash you have stored. Treat a user's password like toxic waste - throw it away as quickly as possible. You want to be in the password storing business about as badly as you want to be in the toxic waste storing business.
(Answered from my iPhone, links forthcoming or if someone wants to help me out! :))
Rex M
2010-06-03 13:20:13
thanks for answering,,,i need to pass some data to another page.. if im passing through url,,i don't want client to see the filed values..any encrypted form is possible ..i didn't meant i want this form...
deepu
2010-06-03 13:26:34
@deepu the answer is "don't do that". It's extremely dangerous.
Rex M
2010-06-03 13:29:58
@Rex okz..then how can i pass some values to another page... other than server.transfer method..
deepu
2010-06-03 13:36:10
@deepu as I said in my answer - store the credential information in a database, or session, or some other location on the server and pass a token ID through the querystring instead - on the destination page use the token to go look up the info again.
Rex M
2010-06-03 14:51:14
+1 for "You want to be in the password storing business about as badly as you want to be in the toxic waste storing business."
Daniel Pryden
2010-06-03 20:18:30
+3
A:
Do you really want to do this? If you bother with usernames and passwords, presumably there is some value to the information or functionality you provide. With URL parameter passing, you leave a number of attack surfaces wide open (not least replay attacks where anyone can impersonate your users.
What are you really trying to do, and why can't you use what's provided in ASP.NET?
Pontus Gagge
2010-06-03 13:22:04
I agree. It is very bad form to store the credentials in the query string, even if it is encrypted. It would be very easy for someone to intercept the query string and impersonate the user.
J.Hendrix
2010-06-03 13:30:59
yh...i need to pass some data to another page.. if im passing through url,,i don't want client to see the filed values..thatz all i thought abt encrypting the values and passing is that possible...any simple method there...
deepu
2010-06-03 13:32:39
You don't have to pass the username/password along! Heard about sessions? This is handled automatically for you if you just look at what MSFT recommends. Do take a look at standard ASP.NET authentication mechanisms, I urge you!
Pontus Gagge
2010-06-03 14:23:04
+1
A:
Why don't you post the values instead of using the querystring? With SSL atleast no one would see the password encrypted or otherwise. Additional passwords in URL don't provide any security. It is like scattering keys to your house all over the neighborhood and hoping that no-one will try them to open your house.
Basically it is a flawed premise. Urls are cached in many ways so it makes sense not to put passwords in them.
However you are not alone in putting passwords in a URL. Check this out
ggonsalv
2010-06-03 20:00:44