encrypting querystring

[Jeff]

hi

asp.net 3.5

Sometimes I send username or userId as a querystring when opening webpages
in my project. That is not good as other users can manipulate the
information and maybe get access to more than I need to...

So I'm now looking into encrytpting the querystring
I've read this article: http://www.4guysfromrolla.com/webtech/012000-1.shtml
which too me sounds like an overkill, I would prefer a shorter URL, URL
like:
/SomePage.asp?crypt=w%96%9Ei%7D%9D%AE%91%B7%ACf%86%C4%AC%CA%90%96c%A1%9D%8F%89%B2z%92U%87Z%95%CF%A6%A5i%BE%96%9C%91%B9%AA%A5%97d%BE%BF%95gwb%8C%93%B7%8A%88%A7%A2%94h%B8%A9%AA
sounds too long to me

I like the URL of youtube:

wonder if that nTasT5h0LEg is encrypted code, anyway it looks easier to past
into URL field in internet browser than the above link

(I'm not sending passwords)

any suggestions how to do this?

 

[sloan]

The youtube tag is not encrypted, its just UNIQUE.

You can pass a guid, which is hard to reproduce from memory.

Guid.NewGuid().ToString("N")

But that is NOT encrypted, just highly unique.

 

[Gregory A. Beamer]

If you are specifying specific content, ala YourTube, you will create a
record in a database and then create the short unique string for the item.
You then have another string, in the table, that specifies the location and
name of the file in question. It is not encrypted.

 

[Anthony Jones]

hi

asp.net 3.5

Sometimes I send username or userId as a querystring when opening webpages
in my project. That is not good as other users can manipulate the
information and maybe get access to more than I need to...

So I'm now looking into encrytpting the querystring
I've read this article:
http://www.4guysfromrolla.com/webtech/012000-1.shtml
which too me sounds like an overkill, I would prefer a shorter URL, URL
like:
/SomePage.asp?crypt=w%96%9Ei%7D%9D%AE%91%B7%ACf%86%C4%AC%CA%90%96c%A1%9D%8F%89%B2z%92U%87Z%95%CF%A6%A5i%BE%96%9C%91%B9%AA%A5%97d%BE%BF%95gwb%8C%93%B7%8A%88%A7%A2%94h%B8%A9%AA
sounds too long to me

I like the URL of youtube:

wonder if that nTasT5h0LEg is encrypted code, anyway it looks easier to
past into URL field in internet browser than the above link

(I'm not sending passwords)

any suggestions how to do this?

I'm not sure I understand. In order to generate a URL that contains some
form of user identity a session must know the identity of the current user.
If the session knows the identiy of the user why is there a need to include
it in the URL? Why can't Somepage.asp use the current identity associated
with the session to confirm the user has appropriate access?

 

[Jeff]

How do you know the username and.or userId to construct the querystring in
the first place...?

For example when the user register at the website, then a confirmation email
is sent to the user.
That email contain a link which the user needs to click on to verify his
account.. That link has this format:
confirm.aspx?user=<username>

Some other pages has a Guid in the querystring:
Default.aspx?id=6cf7a2e7-7443-46d8-b91c-6bf245f1ef6d
The Guid is not the userid of a user, but instead the id of a record in the
database (not userid in aspnet_users)

For example in a gridview, I have a HyperLink on each row. That hyperlink
has a id (guid) which holds the id of a resource the linked page will read
in Page_Load event. Each hyperlink in the GridView has different guid. The
HyperLink gets the id from some code in the OnRowDataBound event, Not sure
this can be placed in session

I take username from Profile.UserName or MembershipUser.UserName
and ProviderUserKey.

Not sure I fully answered your question, but that is how I get the username
and userid in my webproject. Not sure I can have it in the session

any suggestions about securing those links?