用于加密查询字符串的 HttpModule
我发现这个很棒的小 HttpModule 可以加密和解密所有查询字符串。可以在这里找到: 用于查询字符串加密的 HttpModule
有这是一个重大缺陷,我真的可以使用一些关于如何解决的意见。在页面回发时,将跳过 HttpMethod POST,并显示已解密的 QueryString。显然这是一个重大的安全风险。
void context_BeginRequest(object sender, EventArgs e)
{
try
{
HttpContext context = HttpContext.Current;
if (context.Request.Url.OriginalString.Contains("aspx") && context.Request.RawUrl.Contains("?"))
{
string query = ExtractQuery(context.Request.RawUrl);
string path = GetVirtualPath();
if (query.StartsWith(PARAMETER_NAME, StringComparison.OrdinalIgnoreCase))
{
// Decrypts the query string and rewrites the path.
string rawQuery = query.Replace(PARAMETER_NAME, string.Empty);
string decryptedQuery = Decrypt(rawQuery);
context.RewritePath(path, string.Empty, decryptedQuery);
}
else if (context.Request.HttpMethod == "GET")
{
// Encrypt the query string and redirects to the encrypted URL.
// Remove if you don't want all query strings to be encrypted automatically.
string encryptedQuery = Encrypt(query);
context.Response.Redirect(path + encryptedQuery);
}
}
}
catch (ThreadAbortException)
{
//do nothing. let it pass
}
catch (Exception exc)
{
ReportError(exc);
}
}
我尝试为 POST 方法添加一个 if catch :
else if (context.Request.HttpMethod == "POST")
{
if (!query.StartsWith(PARAMETER_NAME, StringComparison.OrdinalIgnoreCase))
{
string encryptedQuery = Encrypt(query);
context.Response.Redirect(path + encryptedQuery);
}
}
但是,由于 Response.Redirect,这会重新加载页面,因此 PostBack 是无用的。
有谁有任何想法或知道是否有办法确定 HttpContext 是否是 PostBack?
i found this great little HttpModule that encrypts and decrypts all querystrings. It can be found here: HttpModule for query string encryption
There is one major flaw that i could really use some input on how to solve. On a postback of the page the HttpMethod POST gets skipped and the QueryString gets shown decrypted. Obviously this is a major security risk.
void context_BeginRequest(object sender, EventArgs e)
{
try
{
HttpContext context = HttpContext.Current;
if (context.Request.Url.OriginalString.Contains("aspx") && context.Request.RawUrl.Contains("?"))
{
string query = ExtractQuery(context.Request.RawUrl);
string path = GetVirtualPath();
if (query.StartsWith(PARAMETER_NAME, StringComparison.OrdinalIgnoreCase))
{
// Decrypts the query string and rewrites the path.
string rawQuery = query.Replace(PARAMETER_NAME, string.Empty);
string decryptedQuery = Decrypt(rawQuery);
context.RewritePath(path, string.Empty, decryptedQuery);
}
else if (context.Request.HttpMethod == "GET")
{
// Encrypt the query string and redirects to the encrypted URL.
// Remove if you don't want all query strings to be encrypted automatically.
string encryptedQuery = Encrypt(query);
context.Response.Redirect(path + encryptedQuery);
}
}
}
catch (ThreadAbortException)
{
//do nothing. let it pass
}
catch (Exception exc)
{
ReportError(exc);
}
}
I tried putting a addition if catch for the POST method:
else if (context.Request.HttpMethod == "POST")
{
if (!query.StartsWith(PARAMETER_NAME, StringComparison.OrdinalIgnoreCase))
{
string encryptedQuery = Encrypt(query);
context.Response.Redirect(path + encryptedQuery);
}
}
However this reloads the page becuase of the Response.Redirect and so the PostBack is useless.
Does anyone have any ideas or know if there is a way to determine is the HttpContext is a PostBack?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在查询字符串中发送敏感数据不是一个好主意。如果必须,那么最好在构建查询字符串之前对数据进行加密,而不是加密整个查询字符串。此外,您的网站不应因用户更改查询字符串而受到损害。 URI 将用户带到他想去的地方,因此通过更改查询字符串 (URI) 进行导航是网络标准。网络应该是 RestFul 的。
Sending sensitive data in the querystring is not a good idea. If you have to then better to encrypt the data before building your querystring rather than encrypting the whole querystring. Also your site should not be compromised by a user changing the querystring. URI takes a user to where he wants to go so navigating by changing your querystring (URI) is a standard for the web. The web should be RestFul.