querystring parameters
I am using IIS for a classic ASP application.
The application uses a couple session variables but for the most part querystring parameters. So the URL always shows the page they are on along with the name of the variable and its value.
Is there a way to prevent the browser (URL) from showing the querystring parameters ? I don't want users changing the values of the parameters manually.
The application uses a couple session variables but for the most part querystring parameters. So the URL always shows the page they are on along with the name of the variable and its value.
Is there a way to prevent the browser (URL) from showing the querystring parameters ? I don't want users changing the values of the parameters manually.
There are a couple of options. Encrypt the parameters, employ url rewriting, or change the method of passing parameters (for example, change to POST)
ASKER
Which do you think its best and what are the downsides of encrypting the parameters ?
We tried URL rewriting but they mess up some pages. Also looks like the re-writing is for .net and this is an ASP classic application.
Looks like the encryption too is for .net.
I like that option, Is there one for ASP classic ?
We tried URL rewriting but they mess up some pages. Also looks like the re-writing is for .net and this is an ASP classic application.
Looks like the encryption too is for .net.
I like that option, Is there one for ASP classic ?
url rewriting is the industry standard for this sort of thing and it's also language independent, meaning it can be used in classic asp (I know, I've implemented it in classic asp before).
I would stay away from encryption / decryption methods, it will add overhead to your application as each piece of data would need to be encrypted, then decrypted. If you're truly concerned about people reading your data, install a SSL certificate and it'll handle all of your encryption for you.
I would stay away from encryption / decryption methods, it will add overhead to your application as each piece of data would need to be encrypted, then decrypted. If you're truly concerned about people reading your data, install a SSL certificate and it'll handle all of your encryption for you.
ASKER
That makes sense. Do you know of any specific software or code I can use for ASP classic for URL rewriting ?
I understand it is something that can be used without changing any code in the application.
I understand it is something that can be used without changing any code in the application.
what version of IIS are you running? chances are you already have the component installed in IIS
ASKER
IIS 7. Would be great if you know of a tutorial on how to do this so I can follow.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you !
you have a couple options that you can proceed with.
1) you could look into url rewriting techniques to mask your url. It's a bit of a learning curve to implement, but once you understand it, you can mask your query string completely.
2) instead of using query string variables to pass data between pages, use hidden form elements (input type='hidden' ...... />), and store your data there. The data isn't completely hidden, as if they open developer tools, they can see the data being passed, but it'll make it harder for users to change those values
depending on your sites size and complexity, #2 may be an option if the scope is small enough, otherwise I'd go with option #1