加密或隐藏QueryString在Asp.net网站使用.net 3.5 [英] Encrypt Or Hide QueryString at Asp.net website using .net 3.5
问题描述
任何人可以帮助我吗?还是有另一个想法,而不是隐藏或加密>>?
谢谢。
正确。我会接受这个答案,如果它是适合的。
第一个问题是,你是否需要使用查询字符串,如果你是从用户隐藏它?也许会话状态可能更好地避免用户看到它首先,
但是,禁止这一点 - 也许你有一个要求,你不能解决,你绝对必须自己使用查询字符串。
您可以加密查询字符串,在您的情况下,我将使用 DPAPI ,所以你不必担心像密钥管理这样麻烦的事情。以下是一个示例用法:
public static string Encrypt(string val)
{
var bytes = System.Text.Encoding.UTF8.GetBytes(VAL);
var encBytes = System.Security.Cryptography.ProtectedData.Protect(bytes,new byte [0],System.Security.Cryptography.DataProtectionScope.LocalMachine);
return Convert.ToBase64String(encBytes);
}
public static string Decrypt(string val)
{
var bytes = Convert.FromBase64String(val);
var encBytes = System.Security.Cryptography.ProtectedData.Unprotect(bytes,new byte [0],System.Security.Cryptography.DataProtectionScope.LocalMachine);
return System.Text.Encoding.UTF8.GetString(encBytes);
}
您必须添加对系统的引用。安全汇编并导入命名空间 System.Security.Cryptography 。
这是一个示例如何在一个页面中使用它:
Response.Redirect(〜/ somepage.aspx?data =+服务器.UrlEncode(加密( SomeSensitiveData)));
并解密:
var data = Decrypt(Request.QueryString [data]);
您可以使用它来加密查询字符串值,例如 Encrypt ,并在需要解释查询字符串的页面上使用解密。
您可以除了使用SSL;这是一个好主意。这也意味着用户将无法看到查询字符串值。
有使用DPAPI的注意事项。一个是它不能很好地与负载平衡器。您将不得不使用别的东西,或者设置负载均衡器来使用粘性会话。另一个是如果他们用加密的查询字符串值为页面加书签;并且您移动到另一个服务器,那么所有书签都将包含服务器现在无法解密的加密查询字符串。
如果查询字符串需要保留(例如对于书签),它不是仅仅是临时的使用,那么你需要提出一个公共密钥,将其保存在某个安全的地方,并用AES进行加密。
I have an existing asp.net web site built with master pages and what I need to hide or encrypt all pass query strings values in a common place without changing a lot of code.
Can any one help me with this please .. or is there another idea instead of hiding or encrypting >>?
Thanks.
What Chris said in his answer is absolutely correct. I would accept that as the answer if it is suitable.
The first question is, do you need to use a query string if you are hiding it from the user? Perhaps something like Session State is better to avoid the user from ever seeing it in the first place.
However, barring that - perhaps you have a requirement that you can't work around and you absolutely have to do it yourself using the query string.
You can encrypt the query string, in your case I would use DPAPI so you don't have to worry about troublesome things like key management. Here is an example usage:
public static string Encrypt(string val)
{
var bytes = System.Text.Encoding.UTF8.GetBytes(val);
var encBytes = System.Security.Cryptography.ProtectedData.Protect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
return Convert.ToBase64String(encBytes);
}
public static string Decrypt(string val)
{
var bytes = Convert.FromBase64String(val);
var encBytes = System.Security.Cryptography.ProtectedData.Unprotect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
return System.Text.Encoding.UTF8.GetString(encBytes);
}
You would have to add a reference to the System.Security assembly and import the namespace System.Security.Cryptography.
Here's an example on how to use it in a page:
Response.Redirect("~/somepage.aspx?data=" + Server.UrlEncode(Encrypt("SomeSensitiveData")));
And to decrypt it:
var data = Decrypt(Request.QueryString["data"]);
You can use this to encrypt a query string value, such as Encrypt and use Decrypt on the page that needs to interpret the query string.
You can use this in addition to SSL; which is a good idea. This will also mean that the user won't be able to see the query string values.
There are caveats to using DPAPI. One is that it doesn't play well with load balancers. You would have to use something else, or setup the load balancer to use a sticky session. Another is that if they bookmark a page with an encrypted query string value; and you moved to another server, then all of the bookmarks will contain encrypted query strings that the server cannot decrypt now.
If the query strings need to be preserved (such as for bookmarking), and it isn't for just "temporary" use, then you would need to come up with a common key, keep it somewhere safe, and do the encryption yourself with something like AES.
这篇关于加密或隐藏QueryString在Asp.net网站使用.net 3.5的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
