Encrypting an id in an URL in ASP.NET MVC

Question

I'm attempting to encode the encrypted id in the Url. Like this: http://www.calemadr.com/Membership/Welcome/9xCnCLIwzxzBuPEjqJFxC6XJdAZqQsIDqNrRUJoW6229IIeeL4eXl5n1cnYapg+N

However, it either doesn't encode correctly and I get slashes '/' in the encryption or I receive and error from IIS: The request filtering module is configured to deny a request that contains a double escape sequence.

I've tried different encodings, each fails:

• HttpUtility.HtmlEncode
• HttpUtility.UrlEncode
• HttpUtility.UrlPathEncode
• HttpUtility.UrlEncodeUnicode

Update

The problem was I when I encrypted a Guid and converted it to a base64 string it would contain unsafe url characters . Of course when I tried to navigate to a url containing unsafe characters IIS(7.5/ windows 7) would blow up. Url Encoding the base64 encrypted string would raise and error in IIS (The request filtering module is configured to deny a request that contains a double escape sequence.). I'm not sure how it detects double encoded strings but it did.

After trying the above methods to encode the base64 encrypted string. I decided to remove the base64 encoding. However this leaves the encrypted text as a byte[]. I tried UrlEncoding the byte[], it's one of the overloads hanging off the httpUtility.Encode method. Again, while it was URL encoded, IIS did not like it and served up a "page not found."

After digging around the net I came across a HexEncoding/Decoding class. Applying the Hex Encoding to the encrypted bytes did the trick. The output is url safe. On the other side, I haven't had any problems with decoding and decrypting the hex strings.

Answer 1

There's a difference between encrypting and encoding; those methods weren't meant for encrypting.

Because encryption is hard to get right, and incredibly easy to get wrong (while still looking just as "encrypted" as the right solution), I recommend that you instead use GUID IDs:

http://www.calemadr.com/.../{6F0184E4-809F-4e30-8A5B-4DC144135A54}

SQL server has the uniqueidentifier type just for this case.

Answer 2

I'm surprised UrlEncode doesn't work. What does the output of your encryption look like?

After you encrypt your Guid, try encoding it to Base64 with the Convert.ToBase64String method. Then UrlEncode the Base64 string to make it an acceptable string to be included in your URL.

Answer 3

Hmmm... This probably won't make any difference but you could try the AntiXSS library and it's URLEncode() method.

http://www.codeplex.com/AntiXSS

HTHs, Charles

Answer 4

Don't know if it matters anymore to you but I just solved this problem on my own. I had to double urlencode.

For example

Server.UrlEncode(Server.UrlEncode(string to encode))

The problem seems to be that Request.Querystring(encoded string) automatically does a decode which is screwing up the encryption. I wish I could explain better but I'm still a little confused

Answer 5

I wrote a short blog post about this very topic including full source code.

It enables you to encrypt and decrypt data stored in query string form using a 16 char key.