Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why Encrypt Query Strings in ASP.NET?

Tags:

c#

.net

asp.net

I work on a web-application that is written in C#/ASP.NET. The original framers of this application chose to use encrypted query strings and Viewstate to control the 'security' and 'state' of the application.

Having come from a GET/POST world before this, I don't have a good basis for understanding why people would go through the trouble of encrypting query strings, when using POST for sensitive data (along with SSL) would achieve a similar level of security.

My question is: What are the advantages and disadvantages of using Encrypted Query Strings in ASP.NET? Is there a documented 'best practice' for this?

Edit: People tend to focus on Viewstate in this question. Don't. Viewstate was mentioned only to give you a better idea to ascertain how 'state' was managed, since that is tangentially related to URLs. I never said Viewstate was encrypted. There really are two issues: 1) The Use of Viewstate, and 2) the Use of encrypted query strings. This question is focused on the latter. I hope that helps to clear up the focus of the question.

like image 386
George Stocker Avatar asked Jan 29 '09 13:01

George Stocker

2 Answers

A reason why you might do something like this is to prevent tampering with the URL to get access to data other than your own. For example, if you have the url:

http://foo.com/user.aspx?user_id=123

it wouldn't be hard for me (or anyone) to change that to:

http://foo.com/user.aspx?user_id=124

If your data access strategy relies entirely on what's in the querystring, that could allow unauthorized access to data.

This approach does serve that purpose correctly, but a more robust way to get there is to actively check authorization within the application, and never rely exclusively on the URL for authentication and / or authorization purposes.

Note that this has nothing to do with SSL - that ensures privacy between the browser and server, but you can be under a perfectly secure connection and still tamper with the URL.

like image 116
Ian Varley Avatar answered Oct 20 '22 00:10

Ian Varley

Well, arguably it allows you to distribute a url for the page, but a better approach here might be something involving a guid as an opaque identifier to a permalink... perhaps it is useful for scripting purposes?

If it is between pages on the same app, then a POST over SSL would indeed seem to make more sense. Can you ask the original designers? Read the design documents?

like image 37
Marc Gravell Avatar answered Oct 20 '22 01:10

Marc Gravell
Sign in to Comment

Related questions

ASP.NET MVC - Download Excel file from MemoryStream (Corrupt file)
What are the desirable situation (real life example) to create static methods except for creating helper?
MVC app doesn't run with a generic method
wpf C# retrieving accent color windows 10
array.Take(13).Skip(x) is subtracting the take
Simple String Encryption without Dependencies
.NET Core EndRequest Middleware
View Component as a Tag Helper does not get Invoked
Creating a AWS Cognito PreSignup Lambda in DotNet
Epplus delete all rows from specific row
Rotate photo with SkiaSharp
How to make Tabbed page of many content page with a scroll menu in Xamarin forms?
Call child method from parent c#
Send a single email to multiple recipients using Mailkit or mimekit
Handling possible null value when converting JSON to C# class
Enable-Migrations - Cannot bind argument to parameter 'Path'
How to force an IAsyncEnumerable to respect a CancellationToken
What is the C# equivalent of Perl's repetition operator?
RegEx matching HTML tags and extracting text
Set Global Variable for Duration of a Request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!