I'am sending some data by the querystring. But I don't want it to be
seen exactly because of security reasons. Is there a way to encrypt it
and later decrypt when reading the querystring...?
I would be very happy with some sample code. 10 11654
It's generally a bad idea to send any sensitive data using the querystring,
for security purposes.
You'll need to encrypt using the System.Security.Cyptography classes. What
you can do is use RC4 encryption to encrypt your string, and then convert it
to Hex so it can safely be passed in the querystring.
I've done this in classic ASP, but haven't got round to converting it to
..net yet, so unfortunately I don't have a code sample. If you'd like to see
the classic ASP version, let me know.
Hope this helps,
Mun
"Onur Bozkurt" <onur.bozkurt@ßofthome.net> wrote in message
news:Oz**************@TK2MSFTNGP11.phx.gbl... I'am sending some data by the querystring. But I don't want it to be seen exactly because of security reasons. Is there a way to encrypt it and later decrypt when reading the querystring...? I would be very happy with some sample code.
The real problem with this situation is that he wants to encrypt data and
then put it into the Query String. If that data controls the functionality
of the page, it doesn't matter whether it's encrypted or not. The URL will
still invoke the functionality in the page that the Query String parameter
specifies, regardless of the user's ability to understand it.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer http://www.takempis.com
Big things are made up of
lots of little things.
"Munsifali Rashid" <mun@**RemoveToReply**vefuk.com> wrote in message
news:uo**************@TK2MSFTNGP12.phx.gbl... It's generally a bad idea to send any sensitive data using the
querystring, for security purposes.
You'll need to encrypt using the System.Security.Cyptography classes.
What you can do is use RC4 encryption to encrypt your string, and then convert
it to Hex so it can safely be passed in the querystring.
I've done this in classic ASP, but haven't got round to converting it to .net yet, so unfortunately I don't have a code sample. If you'd like to
see the classic ASP version, let me know.
Hope this helps,
Mun
"Onur Bozkurt" <onur.bozkurt@ßofthome.net> wrote in message news:Oz**************@TK2MSFTNGP11.phx.gbl... I'am sending some data by the querystring. But I don't want it to be seen exactly because of security reasons. Is there a way to encrypt it and later decrypt when reading the querystring...? I would be very happy with some sample code.
I couldn't understand what exactly you wan't to say because of my poo
english. You mean is it still unsecure.?
Is there a way to do this in a more secure way...?
Kevin Spencer wrote: The real problem with this situation is that he wants to encrypt data and then put it into the Query String. If that data controls the functionality of the page, it doesn't matter whether it's encrypted or not. The URL will still invoke the functionality in the page that the Query String parameter specifies, regardless of the user's ability to understand it.
It would be better to store sensitive information on the server, and avoid
it going out to the client in any way whatsoever.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer http://www.takempis.com
Big things are made up of
lots of little things.
"Onur Bozkurt" <onur.bozkurt@ßofthome.net> wrote in message
news:u1**************@tk2msftngp13.phx.gbl... I couldn't understand what exactly you wan't to say because of my poo english. You mean is it still unsecure.? Is there a way to do this in a more secure way...?
Kevin Spencer wrote:
The real problem with this situation is that he wants to encrypt data
and then put it into the Query String. If that data controls the
functionality of the page, it doesn't matter whether it's encrypted or not. The URL
will still invoke the functionality in the page that the Query String
parameter specifies, regardless of the user's ability to understand it.
You are assuming the program will understand the querystring and will be
able to decrypt it and run the logic.
But if the key is in the session variable, then a new person, even with the
url, would not be able to run the program because the server would unable to
decrypt the info without the key in the session variable.
It does not matter if the user can/cannot understand the querystring. If
the server cannot understand the querystring at a later time, then the
problem is solved, no?
Would this work?
"Kevin Spencer" <ke***@takempis.com> wrote in message
news:Ol**************@TK2MSFTNGP10.phx.gbl... Here's the thing (thought I explained it earlier!) - The query string is used to pass information to the page that will enable or run some functionality in that page. Regardless of whether the user can understand the query string or not, all he/she needs to do is to paste the URL with
the query string into his/her browser, and voila! the page is run.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer http://www.takempis.com Big things are made up of lots of little things.
"Tarren" <noemailplease> wrote in message news:eQ**************@tk2msftngp13.phx.gbl... Could you do this?
Encrypt the query string and store the private key as a session
variable? so copying the querystring from the url bar and pasting in a new session would be useless since there would be no key to decrypt it and it would just read as garbage text?
I am assuming here that the requirement is that this data must be in a query string. Could the above approach work? Anyone have experience with something of that nature? "Onur Bozkurt" <onur.bozkurt@ßofthome.net> wrote in message news:u1**************@tk2msftngp13.phx.gbl... I couldn't understand what exactly you wan't to say because of my poo english. You mean is it still unsecure.? Is there a way to do this in a more secure way...?
Kevin Spencer wrote:
> The real problem with this situation is that he wants to encrypt
data and > then put it into the Query String. If that data controls the functionality > of the page, it doesn't matter whether it's encrypted or not. The
URL will > still invoke the functionality in the page that the Query String parameter > specifies, regardless of the user's ability to understand it. > >
Let me explain it from the beginning.
This is an e-commerce site without a ssl certificate. So when the user ready
to give his/her credit card number I will redirect the user to a new
web-site with a ssl certificate.
This wasn't my choice but it should be in this way and can't be changed.
So when redirecting the user I should send the orderid, userid, amount will
be paid,.... to the new page. But I don't want these values to be seen
clearly.
Definitely do-able. You could encrypt a string using a private key, and
then hex the value (as often, encrypted strings are non-ascii, and you'll
end up with a very messy URL). Pass the hex in your querystring, and then
decrypt it on the other end. The querystring is encrypted, so if the user
messes with it, the server will simply be unable to decipher it on the
receiving end and discard it.
I've converted a class I wrote in class ASP to do this, to ASP.NET (though
it's not using the new security classes, yet). If you're interested in
this, drop me a line.
Mun
"Tarren" <noemailplease> wrote in message
news:ut**************@TK2MSFTNGP09.phx.gbl... You are assuming the program will understand the querystring and will be able to decrypt it and run the logic.
But if the key is in the session variable, then a new person, even with
the url, would not be able to run the program because the server would unable
to decrypt the info without the key in the session variable.
It does not matter if the user can/cannot understand the querystring. If the server cannot understand the querystring at a later time, then the problem is solved, no?
Would this work?
Why not post the form directly to the SSL site?
Alternatively, break your order into two steps. The first when the order is
written to the database on your end, and then have a form with a bunch of
hidden fields with the Order ID, User ID, Amount, etc and a submit button to
the SSL Site saying something like "Click here to pay securely with your
credit card".
The form would be submitted to the SSL site, which could use it as required,
and the user would be able to enter their credit card details to complete
the transaction.
If you need to do it without user interaction - i.e. you cant implement the
above scenario where the user has to click a button, then you could, from
code dynamically build a form with hidden fields containing the data you
need to pass across to the SSL site, and then use JavaScript to
automatically post this form.
Hope this helps,
Mun
"Onur Bozkurt" <de****@hementeknoloji.com> wrote in message
news:ef**************@TK2MSFTNGP10.phx.gbl... Let me explain it from the beginning.
This is an e-commerce site without a ssl certificate. So when the user
ready to give his/her credit card number I will redirect the user to a new web-site with a ssl certificate. This wasn't my choice but it should be in this way and can't be changed.
So when redirecting the user I should send the orderid, userid, amount
will be paid,.... to the new page. But I don't want these values to be seen clearly.
Definitely do-able. You could encrypt a string using a private key, and
then hex the value (as often, encrypted strings are non-ascii, and you'll
end up with a very messy URL). Pass the hex in your querystring, and then
decrypt it on the other end. The querystring is encrypted, so if the user
messes with it, the server will simply be unable to decipher it on the
receiving end and discard it.
I've converted a class I wrote in class ASP to do this, to ASP.NET (though
it's not using the new security classes, yet). If you're interested in
this, drop me a line.
Mun
"Tarren" <noemailplease> wrote in message
news:ut**************@TK2MSFTNGP09.phx.gbl... You are assuming the program will understand the querystring and will be able to decrypt it and run the logic.
But if the key is in the session variable, then a new person, even with
the url, would not be able to run the program because the server would unable
to decrypt the info without the key in the session variable.
It does not matter if the user can/cannot understand the querystring. If the server cannot understand the querystring at a later time, then the problem is solved, no?
Would this work?
Why not post the form directly to the SSL site?
Alternatively, break your order into two steps. The first when the order is
written to the database on your end, and then have a form with a bunch of
hidden fields with the Order ID, User ID, Amount, etc and a submit button to
the SSL Site saying something like "Click here to pay securely with your
credit card".
The form would be submitted to the SSL site, which could use it as required,
and the user would be able to enter their credit card details to complete
the transaction.
If you need to do it without user interaction - i.e. you cant implement the
above scenario where the user has to click a button, then you could, from
code dynamically build a form with hidden fields containing the data you
need to pass across to the SSL site, and then use JavaScript to
automatically post this form.
Hope this helps,
Mun
"Onur Bozkurt" <de****@hementeknoloji.com> wrote in message
news:ef**************@TK2MSFTNGP10.phx.gbl... Let me explain it from the beginning.
This is an e-commerce site without a ssl certificate. So when the user
ready to give his/her credit card number I will redirect the user to a new web-site with a ssl certificate. This wasn't my choice but it should be in this way and can't be changed.
So when redirecting the user I should send the orderid, userid, amount
will be paid,.... to the new page. But I don't want these values to be seen clearly. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Dayne |
last post by:
Guys,
I am writing a database application(vb.net , sql server) and is presently
storing the connection settings in a xml file...not very secure though. What
is a safer method in a dynamic...
|
by: Andy G |
last post by:
If users forget there passwords I want to send a link to them through email
so they can click on a link and go to a change password page. eBay does
this by sending you a url that looks something...
|
by: Bob Hollness |
last post by:
OK, this has me pulling my hair out. All I want to do is encrypt/decrypt
strings. They may be up to 400 characters in length though.
So, I assume System.Security.Cryptography is the one to use....
|
by: frizzle |
last post by:
Hi there,
I need an encrypting function, but haven't got a clue where to start.
First a string has to be encrypted with two different encryption keys.
Both output should be anything a-z / A-Z /...
|
by: Thirsty Traveler |
last post by:
I hear that MD5 is not recommended for encrypting database passwords in that
it can be compromised. Does anyone have a recomendation (SHA-1, etc.) on an
algorithm that would be more appropriate.
|
by: Chris Newby |
last post by:
I'm looking for a way to transparently encrypt cookie data using Asp.Net
1.1.
Ideally, developers could still do things like:
HttpCookie cookie = new HttpCookie( "clearTextKey",...
|
by: Chris Dunaway |
last post by:
I have an application which is installed on a network share to be run
from one or more workstations. I have granted trust to the
applications on the workstations and the appropriate permissions on...
|
by: Parrot |
last post by:
I cannot get an answer as to why my session state no longer remains active
between webpages after working for 2 years. So I want to try to pass data
thru query strings in my url. I tried to use...
|
by: SeeSharp Bint |
last post by:
Visual Studio 2005, dotnet, c#. Microsoft SQL Server. Windows XP forms
application.
Temporarily, for my database application, I have been storing the various
elements of database connection...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |