Solved

When is HTML encoding necessary?

Posted on 2011-03-17
4
280 Views
Last Modified: 2012-05-11
I created a home grown Single Sign-On and have it working where one site has a button which opens up the second website. I create a link with username and a time stamp and read the "un" and "ts" variables in the Global.asax.cs Session_Start() succesfully.

http://localhost:3291/?un=username&ts=353666232

It's working fine, but it's not yet endoded. I am testing it internally, and never expect to release it over the web. It's an internal website for internal use.

I do plan to encrypt the username and timestamp later. For now, please explain if I need to add HTML encoding, and why I need it.

Thanks,
newbieweb
0
Comment
Question by:newbieweb
4 Comments
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 200 total points
ID: 35155978
It wouldn't appear you need to do any encoding.  If you were going to pass parameters that included special characters (quotes, ampersands, etc) that mgiht otherwise be interpreted by the browser, you might want to encode those values.  Since it seems you're only passing numbers, there shouldn't be any problems.
0
 
LVL 23

Assisted Solution

by:wdosanjos
wdosanjos earned 100 total points
ID: 35156193
I agree with paulmacd, no encoding should be necessary.

You should consider though not passing the username as a parameter due to the security risks (an ill intended user can potentially "pretended" to be another).  I recommend that after authentication you generate some type of encrypted token that only your code can decrypt to extract the user info. And you pass that token along.

 
0
 
LVL 10

Assisted Solution

by:John Claes
John Claes earned 200 total points
ID: 35156231
The Encoding is only done to ensure that your browser sends it as a Parameter and is not looking at it.

Example :
You want to send a string as parameter to your page : something like
"this is a text with some chars like & in it"
Now you know that Url's split parameters using the & sign, so if you send it like it is the browser will split your string into 1 recognized string "this is a text with some chars like" and the rest will be excluded from the string.

Therefor we use UrlEncoding:  this will change our example string into
"this+is+a+text+with+some+chars+like+%26+in+it"

As you can see spaces are changed into + and our & is changed into %26
Now our browser will send the string directly and will not look at it.

When using encryption and special chars you always should do it.

A best practice that I personly enforce in my projectGroup is that every parameter set in the Url or is send is always encoded. Just to ensure that special signs are permitted (even when they're out of scope at the moment)


regards
poor beggar
0
 

Author Closing Comment

by:newbieweb
ID: 35175874
Thanks!
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now