string emailfield=txtEmail.Text.ToString();
string url =
"http://localhost:3076/user/Authenticate-Users.aspx?email="+emailfield;
I want to encrypt the querystring and then decrpyt. Is there any way to do this in C#?
Thanks
-
7The best solution is to just host the service over HTTPS. Failing that: who's going to decrypt the email address? Do you want to use symmetric or asymmetric encryption?Chris Wenham– Chris Wenham2011-03-15 17:47:01 +00:00Commented Mar 15, 2011 at 17:47
-
As Wenham suggests, you might be looking for the wrong solution. If you can explain why you want to encrypt and then decrypt your message, then you are likely to get a far better answer.Kimball Robinson– Kimball Robinson2011-03-15 17:49:05 +00:00Commented Mar 15, 2011 at 17:49
-
See stackoverflow.com/questions/2966255/… or stackoverflow.com/questions/240713/… or stackoverflow.com/questions/1492878/…SwDevMan81– SwDevMan812011-03-15 17:49:18 +00:00Commented Mar 15, 2011 at 17:49
-
Are you authenticating a use solely based on email address? That's rediculous. You need to incorporate a password in there somewhere. Also, I fixed your spelling. ["dis" isEqualToString:@"this"] != true;FreeAsInBeer– FreeAsInBeer2011-03-15 17:50:02 +00:00Commented Mar 15, 2011 at 17:50
-
there is a page wherein i authenticate the users, users come this url only if they have entered valid emailid but knowing the url. after coming on this url database entry is made against the user that his/her emailid is validated but without clicking on the activation link some mt just use the url and embed der emailid and check for validation i have taken all the steps to avoid dos but client want is encypted querystring can i do it in c sharp i want 64 bit encryptionabhijit– abhijit2011-03-15 17:53:32 +00:00Commented Mar 15, 2011 at 17:53
|
Show 3 more comments
4 Answers
You can encrypt a name/value collection to a string, and then just pass that encrypted string as a single query argument.
I demonstrate this technique in an article, Encrypting Query Arguments.
2 Comments
Nayef
but the key is constant, it will not make the webpage secure. The key need to be a secure random key.
Jonathan Wood
@Nayef: That is an option. But it is incorrect to say it needs to be done that way.
Since encrypted data will most likely contain special characters it must be base64-encoded or similar.
You can find a encode / decode class that does the dirty work for you. Many of them out there. Here is one example.
1 Comment
Jaans
Tedd is right. Once you have an encrypted value and you then want to use this in the URL somewhere (like query string argument), you'll need to convert the "special characters" so that they can be used in the URL. Typically this is then base 64 encoded. Just search on how to Base64 encode it.
Possibly looking for Server.UrlEncode?
The URLEncode method applies URL encoding rules, including escape characters, to a specified string.
(Just in case you were too specific with "encrypt", otherwise others have good answers regarding protecting the string's value.)
Comments
A simpler solution could be to store a GUID along with the user account when it is created. You could call it VerificationCode, for example. When you create the user account, you randomly store a GUID with it, 120a9c10-4f2e-11e0-b8af-0800200c9a66 for example.
Now, in the activation link, you embed the GUID instead of the email address:
http://localhost:3076/user/Authenticate-Users.aspx?code=120a9c10-4f2e-11e0-b8af-0800200c9a66
When the page executes, it looks up the user by the GUID to mark that the account has been confirmed.
2 Comments
Kimball Robinson
@Beckham, as far as I know, GUIDs are not cryptographically secure or unique. Wikipedia quote: "Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random, given full knowledge of the internal state, it is possible to predict previous and subsequent values..." en.wikipedia.org/wiki/Globally_Unique_Identifier --- so it's probably better to use a hash function such as SHA-2 (see msdn.microsoft.com/en-us/library/…)
riadh gomri
If the Guid is stored in the database with unique constraint this will not be a problem. What's the purpose to crypt the email ? you can perhaps predict subsquent values but you can do validation in the HTTP POST stackoverflow.com/a/13355076/1288063