How to encrypt query string using asp?

I have a database thats stores case information and allows clients to view details based on the case number using an asp script. The problem is that in the address bar the full path is displayed making it possible to easily enter another case number and view details other than the one intended. (detail.asp?caseno=XXXX)

I have read several "guides" on how to encrypt and decrypt this info but I am still kind of lost on how to set it up and where to put the code, ect.

I would need to use asp to do this...

I would like to know where to start and the steps needed to make it work. :)
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel WilsonCommented:
Encrypting the case number is barely better than "security through obscurity".

You need to check whether the user has the rights to view the requested case before pulling the data.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
prointel9900Author Commented:
Thats what I am asking... they have to login first which will redirect them to the page containing their case information but the path that is displayed in the address bar is what I am trying to get rid of...
prointel9900Author Commented:
one more thing, I can possibly manage to post the variables to the page I need to prevent the information from displaying on the address bar but the main concern of mine is that the users are emailed a link to check the status of a given "case" and mainly would like to prevent the link from dispaying that information.
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

You can encrypt an ID number and use that as a token, but it still won't prevent someone from brute-forcing their way into another case file.  For example, if you use MD5 to encrypt an ID, you'll get something like this: 0b89391af819e715bbc1005fb6d86e7e.  Certainly more complex then "1125",  but not really that much more secure when you consider a program can run through thousands of encrypted ID numbers.

What you really want to do is tie your ID number to a client record.  Set up your case table like this:

caseno int,
casedate datetime,
casedata varchar(250),
morecasedata varchar(250),
userID int

When the user logs in you're presumably using either a session variable or a cookie to track their session -- then once they go to view the case number via the detail.asp page, you'll need to amend the SQL query that calls the record details like so:

'     Grab the user's ID number
varUserID = Session("userID")    ' Or Request.Cookies("userID")

SELECT caseno, casedate, casedata, morecasedata
WHERE userID = " & varUserID

Now you know that -- assuming the user hasn't gained access to someone else's account -- they're only viewing their case records.
prointel9900Author Commented:
"For example, if you use MD5 to encrypt an ID, you'll get something like this: 0b89391af819e715bbc1005fb6d86e7e. "

That is what I was trying to do... mainly for the link that is viewable. You mention using "MD5" and I have no idea what that is or how to accomplish this. That is what my question is.

I have the pages so that they are only viewable with correct permissions. My main concern is not displaying the path with the link.

Hopefully I am making some sort of sense here, I am not quite sure how to explain it... :)
Well, if you want to do it this way you can check out this:  That's an MD5 algorithm in VBScript.  Save the code to an ASP page, include it in your program, then encrypt your value like this:

Dim varPlainText, varEncryptedText
varPlainText = "12345" ' However you want to grab the ID field
varEncryptedText = MD5(varPlainText)

Once encrypted, you'll need to store the value in the database since the newly encrypted value is one-way only.
The problem with this is another person can simply guess a number, run it through the MD5 function available from many sites online, and that way they can guess case numbers without any trouble.

If you really want to go this route, I suggest salting your case number. This will prevent the kind of attack explained above. E.g. you will md5(case_number + random salt). Using this md5, you will go through the DB and md5 the case_id + salt to see which case matches and display that. I suggest reading up on salting passwords.

As mentioned, the system should only allow specific people to view their cases. In this case, id= would work fine. If the case doesn't belong to that person, you can simply display an error message.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.