querystring parameters

I am using IIS for a classic ASP application.
The application uses a couple session variables but for the most part querystring parameters. So the URL always shows the page they are on along with the name of the variable and its value.

Is there a way to prevent the browser (URL) from showing the querystring parameters ?   I don't want users changing the values of the parameters manually.
LVL 1
AleksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Big MontyWeb Ninja at largeCommented:
even if you hide the query string variables, users can still enter them in, and if your code is built to develop them, then there's no way to prevent the user from doing so.

you have a couple options that you can proceed with.

1) you could look into url rewriting techniques to mask your url. It's a bit of a learning curve to implement, but once you understand it, you can mask your query string completely.

2) instead of using query string variables to pass data between pages, use hidden form elements (input type='hidden' ...... />), and store your data there. The data isn't completely hidden, as if they open developer tools, they can see the data being passed, but it'll make it harder for users to change those values

depending on your sites size and complexity, #2 may be an option if the scope is small enough, otherwise I'd go with option #1
zephyr_hex (Megan)DeveloperCommented:
There are a couple of options.  Encrypt the parameters, employ url rewriting, or change the method of passing parameters (for example, change to POST)
AleksAuthor Commented:
Which do you think its best and what are the downsides of encrypting the parameters ?

We tried URL rewriting but they mess up some pages. Also looks like the re-writing is for .net and this is an ASP classic application.
Looks like the encryption too is for .net.

I like that option, Is there one for ASP classic ?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Big MontyWeb Ninja at largeCommented:
url rewriting is the industry standard for this sort of thing and it's also language independent, meaning it can be used in classic asp (I know, I've implemented it in classic asp before).

I would stay away from encryption / decryption methods, it will add overhead to your application as each piece of data would need to be encrypted, then decrypted. If you're truly concerned about people reading your data, install a SSL certificate and it'll handle all of your encryption for you.
AleksAuthor Commented:
That makes sense. Do you know of any specific software or code I can use for ASP classic  for URL rewriting ?  
I understand it is something that can be used without changing any code in the application.
Big MontyWeb Ninja at largeCommented:
what version of IIS are you running? chances are you already have the component installed in IIS
AleksAuthor Commented:
IIS 7. Would be great if you know of a tutorial on how to do this so I can follow.
Big MontyWeb Ninja at largeCommented:
here's a good tutorial you can read:

http://codingstill.com/2010/08/url-rewriting-in-iis7/

be sure to check out the links at the page for more info

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AleksAuthor Commented:
Thank you !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.