Security is one of the key concerns in web applications. To maintain state we use many mechanisms and Query String is also one. If Query string holds any sensitive data it may lead to SQL Injection or accessing some other user’s data by just updating the Query String
Let’s consider a simple web site where we are having a page which shows Employee Details including PI information like Social Security Number etc… And this page will be used only by HR or the particular employee only. Employee will see only his data and the Employee ID is maintained in Query String.
What happens if I changed the Query string from ID = 1 to ID=2 I will be able to see other Employee details which will raise security issue.
Below is the sample URL of the Employee page
Etc… any one can change the ID in the Query String. To avoid this situation we use different modes to maintain the ID in Session or some other place where the end user cannot change it. Say for example if you want to continue to use Query string to maintain state using encryption the below details will help you
Query String Encryption
To do Query Encryption we should use 2 scenarios. We should encrypt the URL and rewrite the URL with the encrypted one. To do this we can place logic in Global.asax and handle this at Begin & End Request events. But let’s use HttpModule to do that which can be easily pluggable to your application.
Below diagram illustrates this concept
As shown in the above diagram user will be shown with Encrypted String which will not be in an understandable format. Below are the details done by the URL Encryption Module.
Begin Request Event
• Validates the Query String
• Decrypts the Query String
• Rewrites the URL Path so that Page can use the Query string in a normal way
End Request Event
• Encrypts the Query String if any & Rewrites the Encrypted URL to Response during Redirect
• We also need to update action attribute to support post back scenario at page level. Need to update URL reference in Page Action to point to encrypted one.
Below is the sample code to do it.
public void Init(HttpApplication context)
context.BeginRequest += new EventHandler(context_BeginRequest);
context.EndRequest += new EventHandler(context_EndRequest);
void context_EndRequest(object sender, EventArgs e)
HttpContext.Current.Response.RedirectLocation = Encrypt(HttpContext.Current.Response.RedirectLocation);
void context_BeginRequest(object sender, EventArgs e)
throw new HttpException("Not Valid Request");
Page (This is supported only in 3.5 SP1 use Form.Attributes[“action”] for previous version)
Form.Action = QuertStringModule.Encrypt(Request.Url.ToString());
<add name="QuertStringModule" type="QuertStringModule"/>
Below is the HTTP Trace for a simple scenario where Default.aspx will redirect to Employee.aspx?ID=1
Below is the Action content of Employee.aspx page
ID=1 is never exposed to user and the data is secured in all the scenarios. If you want to make use this in production check other request also as this sample code is only for .aspx you may need to update it to check images or other types.