SSL Question About XML Page

[Jim Bayers]

When you open a webpage via SSL, when does the encrypted session start? I
want to pass a student id number, something confidential on the url.

So if someone requests data in xml format from my website with

https://www.test.edu/xml.aspx?id=4352109

will the id be encrypted?

We are worried about sniffers.

 

[Guest]

Jim,

Off the top of my head I would say that is not a good idea. To my knowledge
SSL does not encrypt the URL just the content of the page that is sent back
and forth. Since the id will be in the URL this will pose other problems.
These problems can be numerous such as being viewed by someone walking by,
the id is now hackable (i.e. by incrementing the number or just “hacking it
outâ€), could be sniffed by a program running on the client computer, etc… I
would suggest that you store the id in a session variable or something of the
like and pass it back and forth over SSL. Microsoft has some excellent web
security patterns that you can follow at
http://www.microsoft.com/resources/practices/default.mspx and
http://www.microsoft.com/resources/practices/application/security.mspx

I hope that this helps.

 

[Joerg Jooss]

When you open a webpage via SSL, when does the encrypted session
start? I want to pass a student id number, something confidential on
the url.

So if someone requests data in xml format from my website with

https://www.test.edu/xml.aspx?id=4352109

will the id be encrypted?

Yes. But in general, it is a bad idea to expose internal identifiers via
URLs, whether you use SSL or not.

Cheers,