Quantcast

ASP.NET: HttpModule for Query String Encryption

Get the WebProNews Newsletter:


[ Business]

URL parameters or query strings are often used to carry information that can be used by hackers to do identity theft or other unpleasant things.

Consider the URL example.com/?user=123&account=456 and then imaging what a hacker could do with it. Security or not, sometimes you just don’t want the visitors to see all the query strings for whatever reason.

In those cases it would be nice if we could encrypt the entire query string so it wouldn’t carry any readable information. The problem with one big encrypted query string is that we would break all the code that referenced the query. Code like Request.QueryString["user"] would no longer work, but as usual ASP.NET has the answer to that problem.

What we need is an HttpModule that can turn the encrypted query string into a normal readable one, so that we can still use our old logic like Request.QueryString["user"]. In other words, we want the user to see this

?enc=VXzal017xHwKKPolDWQJoLACDqQ0fE//wGkgvRTdG/GgXIBDd1

while your code sees this

?user=123&account=456.

The HttpModule

The module we need for this task must be able to do a few simple things. It must be able to encrypt the regular query string so that all your current links will automatically be encrypted. It must also be able to decrypt it again so that you can write the code as you normally would. It must also provide a method for encrypting a regular query string if you don’t want to use automatic encryption.

The most important feature of the module is to make it totally plug ‘n play. You should be able to apply the module to any existing website and automatically have query string encryption and decryption without changing any of your code.

Implementation

Download the QueryStringModule.cs below and put it in the App_Code folder of your website. Then add the following lines to the web.config’s section:

<httpModules>

   <add type="QueryStringModule" name="QueryStringModule"/>

</httpModules>

Because automatic encryption is not always desirable the module has a comment that tells you how to turn it off. The module is well commented and should be easy to modify for any ASP.NET developer.

Example

You can encrypt query strings by using the Encrypt() method of the module from any web page or user control.

string query = QueryStringModule.Encrypt("user=123&account=456");

Then just add the encrypted query string to the links that need encryption. You don’t need to use the method if you use automatic encryption.

Download

QueryStringModule.zip (1,55 KB)

Comments

Tag:

Reddit | Furl

Bookmark WebProNews:

Mads Kristensen currently works as a Senior Developer at Traceworks located
in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in
2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and
web services in his daily work as well. A true .NET developer with great passion for the simple solution.

http://www.madskristensen.dk/

ASP.NET: HttpModule for Query String Encryption
About Mads Kristensen
Mads Kristensen currently works as a Senior Developer at Traceworks located in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in 2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and web services in his daily work as well. A true .NET developer with great passion for the simple solution.

http://www.madskristensen.dk/ WebProNews Writer
Top Rated White Papers and Resources
  • peter

    I have an external call back page that inherits the encrypted query string of parent page, then appends other parameters. Here’s a sample below

    Query string: “?enc=bUcbHma24aztJXuz2jAcmf2FbGhPYD0jSasZNT82z3M=&rcbID=ctl00_mainContent_RadComboBox1&rcbServerID=RadComboBox1&text=gomez&comboText=gomez&comboValue=&skin=WebBlue&external=true&timeStamp=1174595521521″

    The encrypt function dies on “invalid format”

    Is there a way around this, or should I just extract out the string “enc=…….” during encrypt?

    thx – peter

  • Guest

    Your download no longer works! Please check.

  • Guest

    ASP.NET: HttpModule For Query String Encryption

    Download for this does not work

  • Guest

    ASP.NET: HttpModule For Query String Encryption

    Download does not work

  • Guest

    i have download the class file and added to my project (app_code).It’s working fine in my production server, but after publishing the code not working.kindly help me what the proplem?

    Advance thanks and regards

    Titus

    • Guest

      u might be doing something wrong….

    • Guest

      Titus did you ever figure out the cause of your issue? I seem to be experiencing the same issue. Works fine locally when testing in VS but once I publish to the production server it fails to work properly.

      • drew

        I actually resolved the issue. You need to go into IIS and Add a Managed Module. Select the drop down menu and select the QueryStringModule listed in the drop down. Give it the same name and you’re on your way.

  • Ben

    the download does not work

  • http://www.www.almny.com Guest

    thanks
    i search for it
    i will try it now :)

  • Guest

    Download the file from http://blog.madskristensen.dk/post/HttpModule-for-query-string-encryption.aspx

    • http://www.callwonder.com Prashant Srivastava

      Hi,

      There is a problem in your web config file . Please go through that .

      Thanks & regards
      Prashant Srivastava

  • cucsoi

    always display real URL request at IE status, help me to fix it
    thanks your code

  • Naveen

    Application throwing run time exception while clicking on download.
    Please Fix it.. Thanxx

  • Guest

    The download link is not working

  • http://www.callwonder.com Parshant Srivastava

    Hi ,

    Hope u r f9 , i am downloading ur zip file but it’s not downloading , please check the path u have specified in ur page because it is redirecting to anyother page or i thing to another site . If u got my mail , please send ur source code on mail Id.

    Thanks & Regards
    Prashant Srivastava

  • Guest

    hi i am not able to download the .cs file and please send me the query string encryption and decryption

  • http://www.cards-tricks.com Hilario Gettinger

    Thank you for this very informative blog. I particularly like the fact that the comments are useful and provide a true value. I am presently working on my hour break and when I come home I’ll read the articles to my brother. Thank you and have a nice day!

  • http://xD Ismael

    anyone knows make this method in javascript?

  • http://xD Ismael

    anyone knows make this method in javascript

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom