1

I'm developing a Web Site using ASP.NET MVC 3, Nowadays I need to encrypt the ID of my customer's URL. For example:

http://mysite.com/person?id=42

to something like that:

http://mysite.com/person?id=Dfjhasdfh33kASDG868365çkhg54sdSDFD

It need be secure. When I say secure, It means hard to any one discover the correct ID

Is there any library to do that?

Many secure web payments one of then like paypal uses this type of approach: https://paypal.com/br/webscr?info=CNS9tFsVM_tv4c18gHgZ3OMH2zblN7GWDQoyamVF3mzNh7vGDuhiKU3

Improve this question
8
  • 1
    Define the "secure" scope of your project. Commented Jun 14, 2012 at 16:39
  • Try this post, and hopfully it will answer your question stackoverflow.com/questions/6157150/… Commented Jun 14, 2012 at 16:40
  • 1
    What does this user id represent? Is it the current user? Why does it need to be secure? What could happen if it is not encrypted? Commented Jun 14, 2012 at 16:41
  • When I say secure, It means hard to any one discover the correct ID. Commented Jun 14, 2012 at 16:42
  • 3
    What makes your long ID any more secure than the number? This sounds like security through obscurity. Commented Jun 14, 2012 at 18:14

2 Answers 2

Reset to default
1

If you REALLY want to encrypt the query param, it's very simple, just use any encryptor provided by .Net and then use an attribute or a httpmodule to decrypt the param.

The most important thing is to ALWAYS validate the request. If you can do it a POST with anti forgery token, do it. Then, always check the user credentials if that user has access to the protected resource.

It's not hard at all, but you have to take it slowly and handle every scenario you can think of. Use a white list approach: only those who meet some conditions are allowed.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

One option would be to make your PK's that long with a randomly generated string or a unique identifier (GUID).

Improve this answer

2 Comments

But to queries over those GUID will take long times.
It is possible to generate GUIDs nowadays that are sequential and thus PK friendly. If sequential means that they are somewhat "predictable" and that's not acceptable, you could add a surrogate key column for this guid and use a non-clustered index.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.