Solved

When is HTML encoding necessary?

Posted on 2011-03-17
4
278 Views
Last Modified: 2012-05-11
I created a home grown Single Sign-On and have it working where one site has a button which opens up the second website. I create a link with username and a time stamp and read the "un" and "ts" variables in the Global.asax.cs Session_Start() succesfully.

http://localhost:3291/?un=username&ts=353666232

It's working fine, but it's not yet endoded. I am testing it internally, and never expect to release it over the web. It's an internal website for internal use.

I do plan to encrypt the username and timestamp later. For now, please explain if I need to add HTML encoding, and why I need it.

Thanks,
newbieweb
0
Comment
Question by:newbieweb
4 Comments
 
LVL 33

Accepted Solution

by:
paulmacd earned 200 total points
Comment Utility
It wouldn't appear you need to do any encoding.  If you were going to pass parameters that included special characters (quotes, ampersands, etc) that mgiht otherwise be interpreted by the browser, you might want to encode those values.  Since it seems you're only passing numbers, there shouldn't be any problems.
0
 
LVL 23

Assisted Solution

by:wdosanjos
wdosanjos earned 100 total points
Comment Utility
I agree with paulmacd, no encoding should be necessary.

You should consider though not passing the username as a parameter due to the security risks (an ill intended user can potentially "pretended" to be another).  I recommend that after authentication you generate some type of encrypted token that only your code can decrypt to extract the user info. And you pass that token along.

 
0
 
LVL 10

Assisted Solution

by:John Claes
John Claes earned 200 total points
Comment Utility
The Encoding is only done to ensure that your browser sends it as a Parameter and is not looking at it.

Example :
You want to send a string as parameter to your page : something like
"this is a text with some chars like & in it"
Now you know that Url's split parameters using the & sign, so if you send it like it is the browser will split your string into 1 recognized string "this is a text with some chars like" and the rest will be excluded from the string.

Therefor we use UrlEncoding:  this will change our example string into
"this+is+a+text+with+some+chars+like+%26+in+it"

As you can see spaces are changed into + and our & is changed into %26
Now our browser will send the string directly and will not look at it.

When using encryption and special chars you always should do it.

A best practice that I personly enforce in my projectGroup is that every parameter set in the Url or is send is always encoded. Just to ensure that special signs are permitted (even when they're out of scope at the moment)


regards
poor beggar
0
 

Author Closing Comment

by:newbieweb
Comment Utility
Thanks!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
For those of you who don't follow the news, or just happen to live under rocks, Microsoft Research released a beta SDK (http://www.microsoft.com/en-us/download/details.aspx?id=27876) for the Xbox 360 Kinect. If you don't know what a Kinect is (http:…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now