0

My site is in asp.net 3.5 and C#. I am sending link to my user through mail, now I want to send each user a specific URL. So instead of sending the clear text I want to send link with encrypted string URL, which I will decrypt on my home page. Like instead of www.mysite.aspx\mypage?userId=12 I'll send www.mysite.aspx\mypage?UserId=)@kasd12 and the same I'll decrypt on my page so that I'll get the userId = 12.

Please let me know if my approach is correct and not and how can I encrypt & decrypt the string in simplest and easier manner.

Improve this question
2

3 Answers 3

Reset to default
2

isn't it more appropiate to generate a temporary access key?

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

With > 50 reputation points, you should be able to post this kind of follow-up questions as comments to the question rather than as a void answer :)
@Jørn I'd say that is a valid answer. The OP asks "Please let me know if my approach is correct"
this is an answer on "Please let me know if my approach is correct". Only I'm not saying he should use the more common approach of generating unique "hard-to-guess" access codes, I'm trying to let him think about wether this is what he really wants.... security through obscurity is always a bad thing btw :)
1

Generate a random string value instead of encryption/decryption :) And make it at least 6 or 7 characters long. Store the the value in the database and once the value is received through a query string, run a SQL query to do whatever for the corresponding row :)

Page_Load()

string x = Request.QueryString["UserID"];

SqlCommand x = new SqlCommand("UPDATE UserTable SET UserStatus='Activated' WHERE RandomKey='x'", connection);
Improve this answer

3 Comments

Rather than a 6 or 7 character string, use a Guid.
@Ben - I had the same bright idea only to discover that it wasn't so bright! stackoverflow.com/questions/643445/…
Just because guids are not crypto graphically secure does notmean they are not fit for this purpose. They are not suitable to use as a cryptograhpic key as they could as the data could be decrypted by generating millions of likely guids. This atack is not feasable in the context of a querystring key as you would have to make millions of http requests in a short period of time
1

I'm pretty sure this code project page is what your after. Its basically a HttpModule that can be used to encrypt querystrings.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.