I have a URL www.site-address/site-page/page1.aspx?username=deepu&password=deepu how can i change the URL to www.site-address/site-page/page1.aspx?username=232322323232&password=2323232322323 ie i want to encrypt the fields i pass through the URL please help me to encrypt and decrypt the URL in C# using .net,now i am using response.redirect and pass these values as query string....pls help....
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
Your approach is flawed and encrypting will not really help the underlying problem. If you go out across the 'net you will rarely (should never) see a pattern like what you are describing, even if it is encrypted.
Instead you should store the user credentials as securely as possible on the server and pass a unique, short-lived session token in the querystring that you can use to look up the credentials.
As for storing securely on the server, once you've receive the user's password the first time, you should use a one-way hash, like SHA256, with a salt. You can pass this value wherever, store it, and to validate compare the has of a potential password to the hash you have stored. Treat a user's password like toxic waste - throw it away as quickly as possible. You want to be in the password storing business about as badly as you want to be in the toxic waste storing business.
(Answered from my iPhone, links forthcoming or if someone wants to help me out! :))
回答2:
It will not work in the way you want but yes encryption is possible as by below mentioned ways
Encryption page:
string id1 = "id1";
Response.Redirect("decryptionPage.aspx?id1=" + HttpUtility.UrlEncode(Encrypt(id1)));
private string Encrypt(string stringToEncrypt)
{
byte[] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
byte[] rgbIV = { 0x21, 0x43, 0x56, 0x87, 0x10, 0xfd, 0xea, 0x1c };
byte[] key = { };
try
{
key = System.Text.Encoding.UTF8.GetBytes("A0D1nX0Q");
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(key, rgbIV), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
return Convert.ToBase64String(ms.ToArray());
}
catch (Exception e)
{
return e.Message;
}
}
Decryption page:
string getId1 = Convert.ToString(Request.QueryString["id1"]);
var qs = Decrypt(HttpUtility.UrlDecode(getId1));
private string Decrypt(string EncryptedText)
{
byte[] inputByteArray = new byte[EncryptedText.Length + 1];
byte[] rgbIV = { 0x21, 0x43, 0x56, 0x87, 0x10, 0xfd, 0xea, 0x1c };
byte[] key = { };
try
{
key = System.Text.Encoding.UTF8.GetBytes("A0D1nX0Q");
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
inputByteArray = Convert.FromBase64String(EncryptedText);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, rgbIV), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
System.Text.Encoding encoding = System.Text.Encoding.UTF8;
return encoding.GetString(ms.ToArray());
}
catch (Exception e)
{
return e.Message;
}
}
回答3:
Do you really want to do this? If you bother with usernames and passwords, presumably there is some value to the information or functionality you provide. With URL parameter passing, you leave a number of attack surfaces wide open (not least replay attacks where anyone can impersonate your users.
What are you really trying to do, and why can't you use what's provided in ASP.NET?
回答4:
Why don't you post the values instead of using the querystring? With SSL atleast no one would see the password encrypted or otherwise. Additional passwords in URL don't provide any security. It is like scattering keys to your house all over the neighborhood and hoping that no-one will try them to open your house.
Basically it is a flawed premise. Urls are cached in many ways so it makes sense not to put passwords in them.
However you are not alone in putting passwords in a URL. Check this out
http://support.microsoft.com/kb/135975
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 该账号已被封号 的文章《How to encrypt/decrypt the url in C#》','https://www.manongdao.com/article-380126.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}