I work on a web-application which is written in C # / ASP.NET. The original frames of this application have chosen the option of controlling the 'security' and 'state' of the application to use encrypted query string and viewstate .
GET / POST Before coming from the world, I do not have a good basis to understand what will happen to people due to the problem of encrypting query strings, when sensitive data (with SSL ) Will get the same level of security while using POST
My question is: what are the advantages and disadvantages of using encrypted query string in ASP.NET? Is there a document 'best practice' for this?
Edit : People focus on Viewstate in this question. No . The viewstate was mentioned only to give you a better idea to find out how to manage the state as it is related to the depth of the URL. I never said wasestate was encrypted, actually there are two issues: 1) use Viewstate , and 2) use encrypted query string. This question focuses on the latter. I hope that helps reduce the focus of the question.
This is the reason why you can do this to prevent tampering with the URL itself For example, if you have a URL:
http://foo.com/user.aspx?user_id=123 This will not happen to me (or anyone) hard to change:
http://foo.com/user.aspx?user_id=124 If your data access strategy is completely dependent on the query that is available on the data May allow AD access.
This approach provides that purpose correctly, but a more robust approach to achieving there is to actively investigate the authority within the application, and for certification and / or authorization purposes. Never trust the URL in particular.
Note that it has nothing to do with SSL - which ensures the confidentiality between browser and server, but you have a perfectly secure connection and even tampering with the URL.
Comments
Post a Comment