Solved

When is HTML encoding necessary?

Posted on 2011-03-17
4
284 Views
Last Modified: 2012-05-11
I created a home grown Single Sign-On and have it working where one site has a button which opens up the second website. I create a link with username and a time stamp and read the "un" and "ts" variables in the Global.asax.cs Session_Start() succesfully.

http://localhost:3291/?un=username&ts=353666232

It's working fine, but it's not yet endoded. I am testing it internally, and never expect to release it over the web. It's an internal website for internal use.

I do plan to encrypt the username and timestamp later. For now, please explain if I need to add HTML encoding, and why I need it.

Thanks,
newbieweb
0
Comment
Question by:newbieweb
4 Comments
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 200 total points
ID: 35155978
It wouldn't appear you need to do any encoding.  If you were going to pass parameters that included special characters (quotes, ampersands, etc) that mgiht otherwise be interpreted by the browser, you might want to encode those values.  Since it seems you're only passing numbers, there shouldn't be any problems.
0
 
LVL 23

Assisted Solution

by:wdosanjos
wdosanjos earned 100 total points
ID: 35156193
I agree with paulmacd, no encoding should be necessary.

You should consider though not passing the username as a parameter due to the security risks (an ill intended user can potentially "pretended" to be another).  I recommend that after authentication you generate some type of encrypted token that only your code can decrypt to extract the user info. And you pass that token along.

 
0
 
LVL 10

Assisted Solution

by:John Claes
John Claes earned 200 total points
ID: 35156231
The Encoding is only done to ensure that your browser sends it as a Parameter and is not looking at it.

Example :
You want to send a string as parameter to your page : something like
"this is a text with some chars like & in it"
Now you know that Url's split parameters using the & sign, so if you send it like it is the browser will split your string into 1 recognized string "this is a text with some chars like" and the rest will be excluded from the string.

Therefor we use UrlEncoding:  this will change our example string into
"this+is+a+text+with+some+chars+like+%26+in+it"

As you can see spaces are changed into + and our & is changed into %26
Now our browser will send the string directly and will not look at it.

When using encryption and special chars you always should do it.

A best practice that I personly enforce in my projectGroup is that every parameter set in the Url or is send is always encoded. Just to ensure that special signs are permitted (even when they're out of scope at the moment)


regards
poor beggar
0
 

Author Closing Comment

by:newbieweb
ID: 35175874
Thanks!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
C# Linq - Join two objects into one 3 31
I need help changing the default value for an @HTML.LabelFor control 4 34
Return array 3 19
c#, case, if 4 16
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question