• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 519
  • Last Modified:

How to encrypt query string using asp?

I have a database thats stores case information and allows clients to view details based on the case number using an asp script. The problem is that in the address bar the full path is displayed making it possible to easily enter another case number and view details other than the one intended. (detail.asp?caseno=XXXX)

I have read several "guides" on how to encrypt and decrypt this info but I am still kind of lost on how to set it up and where to put the code, ect.

I would need to use asp to do this...

I would like to know where to start and the steps needed to make it work. :)
3 Solutions
Daniel WilsonCommented:
Encrypting the case number is barely better than "security through obscurity".

You need to check whether the user has the rights to view the requested case before pulling the data.
prointel9900Author Commented:
Thats what I am asking... they have to login first which will redirect them to the page containing their case information but the path that is displayed in the address bar is what I am trying to get rid of...
prointel9900Author Commented:
one more thing, I can possibly manage to post the variables to the page I need to prevent the information from displaying on the address bar but the main concern of mine is that the users are emailed a link to check the status of a given "case" and mainly would like to prevent the link from dispaying that information.
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

You can encrypt an ID number and use that as a token, but it still won't prevent someone from brute-forcing their way into another case file.  For example, if you use MD5 to encrypt an ID, you'll get something like this: 0b89391af819e715bbc1005fb6d86e7e.  Certainly more complex then "1125",  but not really that much more secure when you consider a program can run through thousands of encrypted ID numbers.

What you really want to do is tie your ID number to a client record.  Set up your case table like this:

caseno int,
casedate datetime,
casedata varchar(250),
morecasedata varchar(250),
userID int

When the user logs in you're presumably using either a session variable or a cookie to track their session -- then once they go to view the case number via the detail.asp page, you'll need to amend the SQL query that calls the record details like so:

'     Grab the user's ID number
varUserID = Session("userID")    ' Or Request.Cookies("userID")

SELECT caseno, casedate, casedata, morecasedata
WHERE userID = " & varUserID

Now you know that -- assuming the user hasn't gained access to someone else's account -- they're only viewing their case records.
prointel9900Author Commented:
"For example, if you use MD5 to encrypt an ID, you'll get something like this: 0b89391af819e715bbc1005fb6d86e7e. "

That is what I was trying to do... mainly for the link that is viewable. You mention using "MD5" and I have no idea what that is or how to accomplish this. That is what my question is.

I have the pages so that they are only viewable with correct permissions. My main concern is not displaying the path with the link.

Hopefully I am making some sort of sense here, I am not quite sure how to explain it... :)
Well, if you want to do it this way you can check out this: http://userpages.umbc.edu/~mabzug1/cs/md5/md5.asp.  That's an MD5 algorithm in VBScript.  Save the code to an ASP page, include it in your program, then encrypt your value like this:

Dim varPlainText, varEncryptedText
varPlainText = "12345" ' However you want to grab the ID field
varEncryptedText = MD5(varPlainText)

Once encrypted, you'll need to store the value in the database since the newly encrypted value is one-way only.
The problem with this is another person can simply guess a number, run it through the MD5 function available from many sites online, and that way they can guess case numbers without any trouble.

If you really want to go this route, I suggest salting your case number. This will prevent the kind of attack explained above. E.g. you will md5(case_number + random salt). Using this md5, you will go through the DB and md5 the case_id + salt to see which case matches and display that. I suggest reading up on salting passwords.

As mentioned, the system should only allow specific people to view their cases. In this case, id= would work fine. If the case doesn't belong to that person, you can simply display an error message.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now