Solved

Encrypting Sharepoint URL parameters

Posted on 2010-08-17
7
1,768 Views
Last Modified: 2012-05-10
I need a solution for encrypting  the url parameters of a sharepoint URL e.g. "http://sharepointsite.com/Lists/ListName/NewForm.aspx?Title=Title Text Here&Description=Description Text Here". I need any parameter after the ? to be encrypted.
(Just for reference, i'm using SPFF (Sharepoint Form Field Asistant: http://spff.codeplex.com/) to pass the parameters to the NewForm Fields.

I found this when googling for a solution but don't know how to implement it or even if it can be implemented into sharepoint: http://devcity.net/PrintArticle.aspx?ArticleID=47
It's almost exactly what i'm after.

Is there anyone who knows how to do this?
I have access to Sharepoint Designer.

Any help will be much appreciated.

Thanks
0
Comment
Question by:ydsonline
  • 4
  • 2
7 Comments
 
LVL 6

Assisted Solution

by:vikas413
vikas413 earned 200 total points
ID: 33452394
you have good approach to do this, but fundamentally SPFF is created on JQuery which is is on client side, and the other part your encryption-decryption code should be on server side which is on server side.

when form is loaded in browser SPFF updates the fields by filling values by taking it from query string, and didn't do anything on server side. so if you pass encrypted string you need to have some way (update SPFF) to decrypt it from client, which in turn becomes request to server(with updated spff) to decrypt it.

but I think this is not good approach .. as anyone can call same function by checking it from your JS..

so I think if you wanna go with encrypted query string you need to write your own new/edit form for your libraries.

hope I have clear my point.

regards,
Vikas Patel.


0
 
LVL 5

Author Comment

by:ydsonline
ID: 33452411
Thanks for your explanation vikas. I actually don't mind if the encryption only occurs on the client side. The site is mainly for internal use and only needs to fool the normal user to not be able to edit the parameters. We are talking about standard users in an office environment so i'm not too worried if it doesn't get encrypted on the server side. But good point and clarification, thanks.
Are you still able to help with getting the encryption to work on the client side?
 
0
 
LVL 6

Assisted Solution

by:vikas413
vikas413 earned 200 total points
ID: 33452587
http://www.fourmilab.ch/javascrypt/javascrypt.html
http://javascript.about.com/od/problemsolving/a/encrypt.htm
http://pajhome.org.uk/crypt/md5/

here are some examples of js encryption/decryption. merge it with SPFF while getting values from querystring and you are ready to roll.. ;)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Author Comment

by:ydsonline
ID: 33462205
Thanks Vikas, but i'm not sure how to implement encrypting the url from those pages that you mentioned. I can see that you can use it to encrypt a url but can't figure out how to implement it into my current page so it automatically encrypts the url.

I have found an alternative method in the mean time which seems to work well for my purposes. It's not encryption unfortunately, but uses a frameset instead to hide the original page url. Then I used a script to disable the right click on the page so you can't use the properties of the page to see the url and then use another script to delete the history of the page url so it won't show up in the browser history.

I still would rather use encryption since the alternative method is more work for me.

If you can explain or give me an example of how to merge those encryption techniques with SPFF, that would be much appreciated.
 

Below I've include an example of what I did as an alternative just for the sake of this question:

New page with original url in framset:
<HTML>
<HEAD>
<TITLE>This is test </TITLE>
</HEAD>
<FRAMESET cols="*">
<FRAMESET rows="*">
<FRAME src="http://sharepointsite.com/Lists/ListName/NewForm.aspx?Title=Title">
</FRAMESET>
</HTML>  
 
Script to Disable history:
<script language="javascript" >
javascript: window.history.forward(1);
</script>  
 
Script to disable right click on page:
<SCRIPT TYPE="text/javascript">
<!--
//Disable right click script
//visit http://www.rainbow.arch.scriptmania.com/scripts/ 
var message="Sorry, right-click has been disabled";
///////////////////////////////////
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
// -->
</SCRIPT>
0
 
LVL 2

Accepted Solution

by:
furball4 earned 300 total points
ID: 33494411
Can you be a bit more precise about your goals? Encryption is a means, not an end. Saying that you want to encrypt the parameters is assuming a goal - but we need to understand the goal ourselves in order to be of the most help. What is it exactly that you want to allow/disallow?

From what you have written I think the answer is that you wish to make tampering impossible. If that is your only purpose (and not, for example, to also make the parameters incomprehensible) then you could roll together a solution that required no encryption. Such a solution would either store the parameters server-side or verify them whenever they were re-presented to the server. Really it is the same solution but with different implementations.  The former would even make them incomprehensible to the user, if that was a nice plus for you.

So to be clear, I am suggesting that when your app is going to put a link into a webpage (like http://www.myapp.com/index.html?secret_var=1&vulnerable_var=2) you instead throw the string "secret_var=1&vulnerable_var=2" into a database alongside a large, high-entropy, temporary key. Then you use this link in the app: http://www.myapp.com/index.html?key=e289asihfh2024fwhfalsd8f42. When that request comes in, you use the re-presented key to recover the actual parameters from the database and read them into your app yourself. I suspect that whatever development language you are using will already have something like this available as a library or code snippet. Most web apps already do dozens of database queries per page - one more pull on a primary key isn't going to slow things down.
0
 
LVL 5

Author Comment

by:ydsonline
ID: 33497744
Thanks for you suggestions furball, i'll reply shortly...
0
 
LVL 5

Author Closing Comment

by:ydsonline
ID: 33517121
Thanks guys, some of your thoughts have led me to a solution that does not require encryption and seems to work well for my purposes. My Goal was as furball put it, to make tampering impossible. I have however found those encryption links handy as well and used them as part of my solution in a different way. so thanks.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows - create strong certificates 5 63
How to code SharePoint 2013 online 4 74
SharePoint 2013 with K2 5 24
Icons on a page, side-by-side 6 36
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question