public static string Encrypt(string val)
{
var bytes = System.Text.Encoding.UTF8.GetBytes(val);
var encBytes = System.Security.Cryptography.ProtectedData.Protect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
return Convert.ToBase64String(encBytes);
}
public static string Decrypt(string val)
{
var bytes = Convert.FromBase64String(val);
var encBytes = System.Security.Cryptography.ProtectedData.Unprotect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
return System.Text.Encoding.UTF8.GetString(encBytes);
}
What Chris said in his answer is absolutely correct. I would accept that as the answer if it is suitable.
The first question is, do you need to use a query string if you are hiding it from the user? Perhaps something like Session State is better to avoid the user from ever seeing it in the first place.
However, barring that - perhaps you have a requirement that you can't work around and you absolutely have to do it yourself using the query string.
You can encrypt the query string, in your case I would use DPAPI so you don't have to worry about troublesome things like key management. Here is an example usage:
public static string Encrypt(string val)
{
var bytes = System.Text.Encoding.UTF8.GetBytes(val);
var encBytes = System.Security.Cryptography.ProtectedData.Protect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
return Convert.ToBase64String(encBytes);
}
public static string Decrypt(string val)
{
var bytes = Convert.FromBase64String(val);
var encBytes = System.Security.Cryptography.ProtectedData.Unprotect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
return System.Text.Encoding.UTF8.GetString(encBytes);
}
You would have to add a reference to the System.Security assembly and import the namespace System.Security.Cryptography.
You can use this to encrypt a query string value, such as Encrypt and use Decrypt on the page that needs to interpret the query string.
You can use this in addition to SSL; which is a good idea. This will also mean that the user won't be able to see the query string values.
There are caveats to using DPAPI. One is that it doesn't play well with load balancers. You would have to use something else, or setup the load balancer to use a sticky session. Another is that if they bookmark a page with an encrypted query string value; and you moved to another server, then all of the bookmarks will contain encrypted query strings that the server cannot decrypt now.
If the query strings need to be preserved (such as for bookmarking), and it isn't for just "temporary" use, then you would need to come up with a common key, keep it somewhere safe, and do the encryption yourself with something like AES.
Why would you want to encrypt the query string? If you are trying to send sensitive information from the browser to the server, use SSL. If you try to encrypt it yourself, you are bound to fail in some subtle way. Don't re-invent the wheel.
克里斯在回答中所说的完全正确。如果合适的话我会接受这个答案。
第一个问题是,如果您向用户隐藏查询字符串,您是否需要使用查询字符串?也许像 会话状态 这样的东西可以更好地避免用户看到它首先。
但是,除此之外 - 也许您有一个无法解决的要求,并且您绝对必须使用查询字符串自己完成。
您可以加密查询字符串,在您的情况下,我将使用 DPAPI 所以您不必担心密钥管理等麻烦的事情。下面是一个示例用法:
您必须添加对 System.Security 程序集的引用并导入命名空间 System.Security.Cryptography。
以下是如何在页面中使用它的示例:
解密它:
您可以使用它来加密查询字符串值,例如
Encrypt
并在页面上使用Decrypt
需要解释查询字符串的页面。除了 SSL 之外,您还可以使用它;这是个好主意。这也意味着用户将无法看到查询字符串值。
使用 DPAPI 有一些注意事项。一是它与负载均衡器配合得不好。您将不得不使用其他东西,或者将负载均衡器设置为使用粘性会话。另一个问题是,如果他们使用加密的查询字符串值对页面添加书签;如果您移动到另一台服务器,那么所有书签都将包含服务器现在无法解密的加密查询字符串。
如果需要保留查询字符串(例如用于书签),并且它不仅仅是“临时”使用,那么您需要拿出一个公用密钥,将其保存在安全的地方,然后自己进行加密类似 AES 的东西。
What Chris said in his answer is absolutely correct. I would accept that as the answer if it is suitable.
The first question is, do you need to use a query string if you are hiding it from the user? Perhaps something like Session State is better to avoid the user from ever seeing it in the first place.
However, barring that - perhaps you have a requirement that you can't work around and you absolutely have to do it yourself using the query string.
You can encrypt the query string, in your case I would use DPAPI so you don't have to worry about troublesome things like key management. Here is an example usage:
You would have to add a reference to the
System.Security
assembly and import the namespaceSystem.Security.Cryptography
.Here's an example on how to use it in a page:
And to decrypt it:
You can use this to encrypt a query string value, such as
Encrypt
and useDecrypt
on the page that needs to interpret the query string.You can use this in addition to SSL; which is a good idea. This will also mean that the user won't be able to see the query string values.
There are caveats to using DPAPI. One is that it doesn't play well with load balancers. You would have to use something else, or setup the load balancer to use a sticky session. Another is that if they bookmark a page with an encrypted query string value; and you moved to another server, then all of the bookmarks will contain encrypted query strings that the server cannot decrypt now.
If the query strings need to be preserved (such as for bookmarking), and it isn't for just "temporary" use, then you would need to come up with a common key, keep it somewhere safe, and do the encryption yourself with something like AES.