How to encrypt/decrypt the url in C#

后端 未结 4 1813
借酒劲吻你
借酒劲吻你 2021-01-06 12:45

I have a URL www.site-address/site-page/page1.aspx?username=deepu&password=deepu how can i change the URL to www.site-address/site-page/page1.aspx?username=232322323232&

相关标签:
4条回答
  • 2021-01-06 13:15

    Do you really want to do this? If you bother with usernames and passwords, presumably there is some value to the information or functionality you provide. With URL parameter passing, you leave a number of attack surfaces wide open (not least replay attacks where anyone can impersonate your users.

    What are you really trying to do, and why can't you use what's provided in ASP.NET?

    0 讨论(0)
  • 2021-01-06 13:23

    It will not work in the way you want but yes encryption is possible as by below mentioned ways

    Encryption page:

    string id1 = "id1";
    
    Response.Redirect("decryptionPage.aspx?id1=" + HttpUtility.UrlEncode(Encrypt(id1)));
    
    private string Encrypt(string stringToEncrypt)
    {
            byte[] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
            byte[] rgbIV = { 0x21, 0x43, 0x56, 0x87, 0x10, 0xfd, 0xea, 0x1c };
            byte[] key = { };
            try
            {
                key = System.Text.Encoding.UTF8.GetBytes("A0D1nX0Q");
                DESCryptoServiceProvider des = new DESCryptoServiceProvider();
                MemoryStream ms = new MemoryStream();
                CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(key, rgbIV), CryptoStreamMode.Write);
                cs.Write(inputByteArray, 0, inputByteArray.Length);
                cs.FlushFinalBlock();
                return Convert.ToBase64String(ms.ToArray());
            }
            catch (Exception e)
            {
                return e.Message;
            }
    }
    

    Decryption page:

    string getId1 = Convert.ToString(Request.QueryString["id1"]);
    var qs = Decrypt(HttpUtility.UrlDecode(getId1));
    private string Decrypt(string EncryptedText)
    {
            byte[] inputByteArray = new byte[EncryptedText.Length + 1];
            byte[] rgbIV = { 0x21, 0x43, 0x56, 0x87, 0x10, 0xfd, 0xea, 0x1c };
            byte[] key = { };
    
            try
            {
                key = System.Text.Encoding.UTF8.GetBytes("A0D1nX0Q");
                DESCryptoServiceProvider des = new DESCryptoServiceProvider();
                inputByteArray = Convert.FromBase64String(EncryptedText);
                MemoryStream ms = new MemoryStream();
                CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, rgbIV), CryptoStreamMode.Write);
                cs.Write(inputByteArray, 0, inputByteArray.Length);
                cs.FlushFinalBlock();
                System.Text.Encoding encoding = System.Text.Encoding.UTF8;
                return encoding.GetString(ms.ToArray());
            }
            catch (Exception e)
            {
                return e.Message;
            }
    }
    
    0 讨论(0)
  • 2021-01-06 13:25

    Your approach is flawed and encrypting will not really help the underlying problem. If you go out across the 'net you will rarely (should never) see a pattern like what you are describing, even if it is encrypted.

    Instead you should store the user credentials as securely as possible on the server and pass a unique, short-lived session token in the querystring that you can use to look up the credentials.

    As for storing securely on the server, once you've receive the user's password the first time, you should use a one-way hash, like SHA256, with a salt. You can pass this value wherever, store it, and to validate compare the has of a potential password to the hash you have stored. Treat a user's password like toxic waste - throw it away as quickly as possible. You want to be in the password storing business about as badly as you want to be in the toxic waste storing business.

    (Answered from my iPhone, links forthcoming or if someone wants to help me out! :))

    0 讨论(0)
  • 2021-01-06 13:30

    Why don't you post the values instead of using the querystring? With SSL atleast no one would see the password encrypted or otherwise. Additional passwords in URL don't provide any security. It is like scattering keys to your house all over the neighborhood and hoping that no-one will try them to open your house.

    Basically it is a flawed premise. Urls are cached in many ways so it makes sense not to put passwords in them.

    However you are not alone in putting passwords in a URL. Check this out

    http://support.microsoft.com/kb/135975

    0 讨论(0)
提交回复
热议问题