What are some HTTP 'Get' Security best practices?
When should HTTP Get querystring values be obscured?
Edit - The application I've inherited has all of the querystring parameters XOR 'encrypted'. It also passes things like AccountID in the querystring. So I'm wondering if these are good practices and how I would go about correcting these things if they aren't.
Edit -
One method I could use to solve this would be to create a base class (this is just pseudo code):
public mustinherit class QSBase
public shared Unique as long = 0
private m_ID as string
public readonly property ID
get
return m_ID
end get
end property
public sub new()
m_ID = Unique 'somehow get a unique value for this querystring
Unique += 1
end sub
public function IDQueryString() as string
return "ID=" & m_ID
end function
end class
Then for each page in application I would create a derived class with properties for each query string value.
public class QSPage1
inherits QSBase
private m_AccountID as string
public readonly property AccountID as string
get
return m_AccountID
end get
end property
public sub new(byval _AccountID as string)
m_AccountID = _AccountID
end sub
end class
Then when I pass the query string to popups or other pages I instance the relevant class, store it in the session and pass the unique id on the query string
Dim qs as new QSPage1("123456")
Session(qs.ID) = qs
Server.Transfer("Page1.aspx?" & qs.IDQueryString())
'or
CreatePopup("Page1.aspx?" & qs.IDQueryString())
Within the page I access the values by pulling the unique ID and referencing the stored session value:
AccountID = CType(Session(Request.QueryString("ID")), QSPage1).AccountID()
Of course that can be put into a function or a class in the page.
Some benefits of this approach are:
Some of the drawbacks are that:
Can anyone think of any other benefits/drawback or a better way to do this (besides rewriting the application)?
Edit -
Thanks to all who say to use HTTPS and POST. Unfortunately, I'm looking for answers that have to do with using 'GET' only. (Unless you can explain how to post data to popups without using the QueryString, Session or Javascript? )
If you have anything worth obscuring then I would suggest going to HTTPS and dumping HTTP.
Typically I would not put anything related to customer, vendor or order identifiers in the query string. But that is me.
I think you should never obscure GET parameters.
If you need to hide the parameters in the query String at the navigation bar, you should use post.
If you want to prevent sniffers to intercept you GET parameters data, use HTTPS.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With