Most of times we tend to pass information between different web pages in the application with the help of query string. However query string offers direct visibility to the end user about the parameters your page might be expecting. If some one modifies your query string and pass the information to the page , it could become a potential security threat.
There are lot of ways you can normally encrypt your query string. But most of them don't help you in encrypting your query parameter. They only encrypt your values. However if someone tries with different algorithms, it could again lead to a security breach unless you did some very good exception handling.
If you encrypt your query string, everytime you want to access in your values, you have to decode it and access it. If you had already written some code, there is a great impact that you will have to adapt your code after the implementation. What if there is a way where you display in encrypted format to the user but for the code its still the same ?
What I mean is :
The user sees this
while your code sees
ID=123&Query=select and accesses it through Request.querystring["ID"]....
How to encrypt your query string in ASP.NET with the help of HTTP Module ?
Before we dive in, let me explain you what this HTTP module is !!
HTTP modules are one among the series of extensible objects that could be initiated by ASP.NET runtime to process a request. They are filters that can pre and post-process requests as they pass through the HTTP pipeline Many of the services provided in ASP.NET are exposed as HTTP modules esp the ones related to security.
So How do we use HTTP module for encrypting and decrypting query strings ?
The source file in the above link contains the code for encryption and decryption of the query string.
How to use it ?
- Include the file in your project and change the namespace accordingly.
- Once you included the file in your project, please add the following tag to your Web.config in your
<add name="EncryptDecryptModule" type=" Technade.Web.Core.Application.EncryptDecrypt"/> httpModules>
- Make sure that you included correct type in the above line.
You will find the following line in the source code.
// Encrypt the query string and redirects to the encrypted URL.
// Remove if you don't want all query strings to be encrypted automatically.
string encryptedQuery = Encrypt(query);
Remove the line and the query strings will not be automatically encrypted. Instead you will have to call everytime manually as below whenever you want .
string querystring = EncryptDecrypt.Encrypt( "ID=123&query=select" );
But the decryption is automatic as it always checks for the encryption key that is appended before the query string in the code. So if the encryption key exists ,it will decrypt or else it will let it remain as it is. The file has been documented to a good extent. So it should not be too difficult for you to understand how it works.