使用 .net 3.5 加密或隐藏 Asp.net 网站上的 QueryString

发布于 12-28 07:00 字数 1436 浏览 4 评论 0原文

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

你是我的挚爱i2025-01-04 07:00:11

克里斯在回答中所说的完全正确。如果合适的话我会接受这个答案。

第一个问题是,如果您向用户隐藏查询字符串,您是否需要使用查询字符串?也许像 会话状态 这样的东西可以更好地避免用户看到它首先。

但是,除此之外 - 也许您有一个无法解决的要求,并且您绝对必须使用查询字符串自己完成。

您可以加密查询字符串,在您的情况下,我将使用 DPAPI 所以您不必担心密钥管理等麻烦的事情。下面是一个示例用法:

    public static string Encrypt(string val)
    {
        var bytes = System.Text.Encoding.UTF8.GetBytes(val);
        var encBytes = System.Security.Cryptography.ProtectedData.Protect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
        return Convert.ToBase64String(encBytes);
    }


    public static string Decrypt(string val)
    {
        var bytes = Convert.FromBase64String(val);
        var encBytes = System.Security.Cryptography.ProtectedData.Unprotect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
        return System.Text.Encoding.UTF8.GetString(encBytes);
    }

您必须添加对 System.Security 程序集的引用并导入命名空间 System.Security.Cryptography。

以下是如何在页面中使用它的示例:

Response.Redirect("~/somepage.aspx?data=" + Server.UrlEncode(Encrypt("SomeSensitiveData")));

解密它:

var data = Decrypt(Request.QueryString["data"]);

您可以使用它来加密查询字符串值,例如 Encrypt 并在页面上使用 Decrypt需要解释查询字符串的页面。

除了 SSL 之外,您还可以使用它;这是个好主意。这也意味着用户将无法看到查询字符串值。

使用 DPAPI 有一些注意事项。一是它与负载均衡器配合得不好。您将不得不使用其他东西,或者将负载均衡器设置为使用粘性会话。另一个问题是,如果他们使用加密的查询字符串值对页面添加书签;如果您移动到另一台服务器,那么所有书签都将包含服务器现在无法解密的加密查询字符串。

如果需要保留查询字符串(例如用于书签),并且它不仅仅是“临时”使用,那么您需要拿出一个公用密钥,将其保存在安全的地方,然后自己进行加密类似 AES 的东西。

What Chris said in his answer is absolutely correct. I would accept that as the answer if it is suitable.

The first question is, do you need to use a query string if you are hiding it from the user? Perhaps something like Session State is better to avoid the user from ever seeing it in the first place.

However, barring that - perhaps you have a requirement that you can't work around and you absolutely have to do it yourself using the query string.

You can encrypt the query string, in your case I would use DPAPI so you don't have to worry about troublesome things like key management. Here is an example usage:

    public static string Encrypt(string val)
    {
        var bytes = System.Text.Encoding.UTF8.GetBytes(val);
        var encBytes = System.Security.Cryptography.ProtectedData.Protect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
        return Convert.ToBase64String(encBytes);
    }


    public static string Decrypt(string val)
    {
        var bytes = Convert.FromBase64String(val);
        var encBytes = System.Security.Cryptography.ProtectedData.Unprotect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
        return System.Text.Encoding.UTF8.GetString(encBytes);
    }

You would have to add a reference to the System.Security assembly and import the namespace System.Security.Cryptography.

Here's an example on how to use it in a page:

Response.Redirect("~/somepage.aspx?data=" + Server.UrlEncode(Encrypt("SomeSensitiveData")));

And to decrypt it:

var data = Decrypt(Request.QueryString["data"]);

You can use this to encrypt a query string value, such as Encrypt and use Decrypt on the page that needs to interpret the query string.

You can use this in addition to SSL; which is a good idea. This will also mean that the user won't be able to see the query string values.

There are caveats to using DPAPI. One is that it doesn't play well with load balancers. You would have to use something else, or setup the load balancer to use a sticky session. Another is that if they bookmark a page with an encrypted query string value; and you moved to another server, then all of the bookmarks will contain encrypted query strings that the server cannot decrypt now.

If the query strings need to be preserved (such as for bookmarking), and it isn't for just "temporary" use, then you would need to come up with a common key, keep it somewhere safe, and do the encryption yourself with something like AES.

夜巴黎2025-01-04 07:00:11

为什么要加密查询字符串?如果您尝试将敏感信息从浏览器发送到服务器,请使用 SSL。如果你尝试自己加密它,你一定会以某种微妙的方式失败。不要重新发明轮子。

Why would you want to encrypt the query string? If you are trying to send sensitive information from the browser to the server, use SSL. If you try to encrypt it yourself, you are bound to fail in some subtle way. Don't re-invent the wheel.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文