views:

1601

answers:

5

I'm attempting to encode the encrypted id in the Url. Like this: http://www.calemadr.com/Membership/Welcome/9xCnCLIwzxzBuPEjqJFxC6XJdAZqQsIDqNrRUJoW6229IIeeL4eXl5n1cnYapg+N

However, it either doesn't encode correctly and I get slashes '/' in the encryption or I receive and error from IIS: The request filtering module is configured to deny a request that contains a double escape sequence.

I've tried different encodings, each fails:

  • HttpUtility.HtmlEncode
  • HttpUtility.UrlEncode
  • HttpUtility.UrlPathEncode
  • HttpUtility.UrlEncodeUnicode

Update

The problem was I when I encrypted a Guid and converted it to a base64 string it would contain unsafe url characters . Of course when I tried to navigate to a url containing unsafe characters IIS(7.5/ windows 7) would blow up. Url Encoding the base64 encrypted string would raise and error in IIS (The request filtering module is configured to deny a request that contains a double escape sequence.). I'm not sure how it detects double encoded strings but it did.

After trying the above methods to encode the base64 encrypted string. I decided to remove the base64 encoding. However this leaves the encrypted text as a byte[]. I tried UrlEncoding the byte[], it's one of the overloads hanging off the httpUtility.Encode method. Again, while it was URL encoded, IIS did not like it and served up a "page not found."

After digging around the net I came across a HexEncoding/Decoding class. Applying the Hex Encoding to the encrypted bytes did the trick. The output is url safe. On the other side, I haven't had any problems with decoding and decrypting the hex strings.

+3  A: 

There's a difference between encrypting and encoding; those methods weren't meant for encrypting.

Because encryption is hard to get right, and incredibly easy to get wrong (while still looking just as "encrypted" as the right solution), I recommend that you instead use GUID IDs:

http://www.calemadr.com/.../{6F0184E4-809F-4e30-8A5B-4DC144135A54}

SQL server has the uniqueidentifier type just for this case.

Marcel Popescu
Seconded. There's no point in using encryption on the ID's if the purpose is just obfuscation.
womp
My apologies, I wasn't detailed enough in the question. I am trying to encode an encrypted string to be URL safe. Ironically, I am using Guids, the above encryption is a Guid. The problem is encoding an encrypted string that won't cause IIS to throw a security warning or appear to be a directory structure (contain slashes '/')@Womp -Because of the nature of the system I have to encrypt the id.
Chuck Conway
Hmm. Why are you encrypting the GUID, then? If you're worried about someone who is not authorized reusing an URL, they could equally well reuse the URL you gave as an example. If you're worried about someone *guessing* someone else's GUID... never gonna happen.
Marcel Popescu
+1  A: 

I'm surprised UrlEncode doesn't work. What does the output of your encryption look like?

After you encrypt your Guid, try encoding it to Base64 with the Convert.ToBase64String method. Then UrlEncode the Base64 string to make it an acceptable string to be included in your URL.

Dennis Palmer
It might be better to just replace the / and + with - and _ for URLs, rather than urlencoding them.
Paul Fisher
But you also need to unencode, so then how would you know which - is a dash and which - is a slash?
Dennis Palmer
+1  A: 

Hmmm... This probably won't make any difference but you could try the AntiXSS library and it's URLEncode() method.

http://www.codeplex.com/AntiXSS

HTHs, Charles

Charlino
I've used this library before. I'll give it a shot.
Chuck Conway
A: 

Don't know if it matters anymore to you but I just solved this problem on my own. I had to double urlencode.

For example

Server.UrlEncode(Server.UrlEncode(string to encode))

The problem seems to be that Request.Querystring(encoded string) automatically does a decode which is screwing up the encryption. I wish I could explain better but I'm still a little confused

jp
+4  A: 

I wrote a short blog post about this very topic including full source code.

It enables you to encrypt and decrypt data stored in query string form using a 16 char key.

Toran Billups