Solved

When is HTML encoding necessary?

Posted on 2011-03-17
4
282 Views
Last Modified: 2012-05-11
I created a home grown Single Sign-On and have it working where one site has a button which opens up the second website. I create a link with username and a time stamp and read the "un" and "ts" variables in the Global.asax.cs Session_Start() succesfully.

http://localhost:3291/?un=username&ts=353666232

It's working fine, but it's not yet endoded. I am testing it internally, and never expect to release it over the web. It's an internal website for internal use.

I do plan to encrypt the username and timestamp later. For now, please explain if I need to add HTML encoding, and why I need it.

Thanks,
newbieweb
0
Comment
Question by:newbieweb
4 Comments
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 200 total points
ID: 35155978
It wouldn't appear you need to do any encoding.  If you were going to pass parameters that included special characters (quotes, ampersands, etc) that mgiht otherwise be interpreted by the browser, you might want to encode those values.  Since it seems you're only passing numbers, there shouldn't be any problems.
0
 
LVL 23

Assisted Solution

by:wdosanjos
wdosanjos earned 100 total points
ID: 35156193
I agree with paulmacd, no encoding should be necessary.

You should consider though not passing the username as a parameter due to the security risks (an ill intended user can potentially "pretended" to be another).  I recommend that after authentication you generate some type of encrypted token that only your code can decrypt to extract the user info. And you pass that token along.

 
0
 
LVL 10

Assisted Solution

by:John Claes
John Claes earned 200 total points
ID: 35156231
The Encoding is only done to ensure that your browser sends it as a Parameter and is not looking at it.

Example :
You want to send a string as parameter to your page : something like
"this is a text with some chars like & in it"
Now you know that Url's split parameters using the & sign, so if you send it like it is the browser will split your string into 1 recognized string "this is a text with some chars like" and the rest will be excluded from the string.

Therefor we use UrlEncoding:  this will change our example string into
"this+is+a+text+with+some+chars+like+%26+in+it"

As you can see spaces are changed into + and our & is changed into %26
Now our browser will send the string directly and will not look at it.

When using encryption and special chars you always should do it.

A best practice that I personly enforce in my projectGroup is that every parameter set in the Url or is send is always encoded. Just to ensure that special signs are permitted (even when they're out of scope at the moment)


regards
poor beggar
0
 

Author Closing Comment

by:newbieweb
ID: 35175874
Thanks!
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question