Consider the URL example.com/?user=123&account=456 and then imaging what a hacker could do with it. Security or not, sometimes you just don’t want the visitors to see all the query strings for whatever reason.

In those cases it would be nice if we could encrypt the entire query string so it wouldn’t carry any readable information. The problem with one big encrypted query string is that we would break all the code that referenced the query. Code like Request.QueryString["user"] would no longer work, but as usual ASP.NET has the answer to that problem.

What we need is an HttpModule that can turn the encrypted query string into a normal readable one, so that we can still use our old logic like Request.QueryString["user"]. In other words, we want the user to see this

?enc=VXzal017xHwKKPolDWQJoLACDqQ0fE//wGkgvRTdG/GgXIBDd1

while your code sees this

?user=123&account=456.

The HttpModule

The module we need for this task must be able to do a few simple things. It must be able to encrypt the regular query string so that all your current links will automatically be encrypted. It must also be able to decrypt it again so that you can write the code as you normally would. It must also provide a method for encrypting a regular query string if you don’t want to use automatic encryption.

The most important feature of the module is to make it totally plug ‘n play. You should be able to apply the module to any existing website and automatically have query string encryption and decryption without changing any of your code.

Implementation

Download the QueryStringModule.cs below and put it in the App_Code folder of your website. Then add the following lines to the web.config’s section:

<httpModules>

</httpModules>

Because automatic encryption is not always desirable the module has a comment that tells you how to turn it off. The module is well commented and should be easy to modify for any ASP.NET developer.

Example

You can encrypt query strings by using the Encrypt() method of the module from any web page or user control.

string query = QueryStringModule.Encrypt("user=123&account=456");

Then just add the encrypted query string to the links that need encryption. You don’t need to use the method if you use automatic encryption.

Download

QueryStringModule.zip (1,55 KB)

Comments

Tag:

Reddit | Furl

Bookmark WebProNews:

Mads Kristensen currently works as a Senior Developer at Traceworks located
in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in
2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and
web services in his daily work as well. A true .NET developer with great passion for the simple solution.

http://www.madskristensen.dk/

The first is for letting search engines see more of your content rather than the big portion of ViewState many sites have.

The other is perceived rendering time, which means that the content loads faster because it renders before the ViewState while the total rendering time remains the same.

That will decrease the load time of your website’s content.

Techniques to move the ViewState to the bottom of the WebForm has been published many times before.

What I wanted was adding the functionality to an HttpModule.

The technique to move the ViewState is borrowed from Scott Hanselman while the HttpModule implementation is my own.

As Scott writes, it is a very low impact technique (0.000995 second) even though it hasn’t been fully tested for a variety of scenarios.

The goal I’m trying to achieve is to build a reusable component that has 100% plug n play capabilities.

That’s where the HttpModule comes in.

You can just drop it into any existing website without changing any code.

I see no reasons why not to move the ViewState to the bottom, which makes me believe that Microsoft should have done that by default in the first place.

Implementation

Download the ViewstateModule.cs below and put in the App_Code folder of your website. Then add these lines to the web.config and you’re ready to go.

<httpModules>

</httpModules>

Download

ViewstateModule.zip (1,06 KB)

Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark WebProNews:

Mads Kristensen currently works as a Senior Developer at Traceworks located
in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in
2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and
web services in his daily work as well. A true .NET developer with great passion for the simple solution.

http://www.madskristensen.dk/

The safest way to display an e-mail address is to break it up and convert it to something like “name at company dot com”. However, there are a lot of problems involved with that approach. It is difficult to read and you can’t make it into a hyperlink like “mailto:name at company dot com”. If you want to make it into a hyperlink, the best way would be to use a JavaScript function similar to this:

function SendMail(name, company, domain)

}

Then call that method with a hyperlink like this:

<a href="JavaScript:SendMail('name', 'company', 'domain');void(0)">name at company dot com</a>

That will make it pretty difficult to parse for a spam robot.

Another approach is to encode the characters into hex code which is perfectly readable for all browsers, but can proof to be more difficult to parse by robots but not impossible. What a robot can do is to just decode the entire HTML document from hex values into clear text, which will expose the e-mail addresses. But if we mixed clear text and hex values it will be much more difficult for the robot. That’s what the following HttpModule does.

HttpModule

The module replaces all e-mail addresses on your website with the mixed hex/clear text characters. It turns this

<a href="mailto:name@company.com">name@company.com</a>

Into this

<a href="mailto:name@company.com">
name@company.com</a>

It uses the System.Random class to do the mix of the clear text with the hex values. The primary methods in the modules are the ones that through regex, replaces the clear text addresses.

private static Regex _Regex = new Regex("(mailto:|)(\\w+[a-zA-Z0-9.-_]*)@(\\w+).(\\w+)");

   return sb.ToString();
}

Implementation

You can add this module to any existing web applications without breaking any code. Download the EmailSpamModule.cs below and place it in the App_Code folder on your website. Then add the following to the web.config:

<httpModules>

   <add type="EmailSpamModule" name="EmailSpamModule" />
</httpModules>

Even though the module makes it much more difficult to decode any e-mail address, it is still my advice that you use the JavaScript method if possible. If you're lazy or don't get paid by the hour, go for the module.

Download

EmailSpamModule.zip (1,16 KB)

Comments

Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark WebProNews:

Mads Kristensen currently works as a Senior Developer at Traceworks located
in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in
2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and
web services in his daily work as well. A true .NET developer with great passion for the simple solution.

http://www.madskristensen.dk/