How can you secure/encrypt your querystring in asp.net?

I was wondering h开发者_如何学Cow you could encrypt/decrypt your querystring in a simple asp.net page? some values need to be passed between different pages but the querystring cannot be changed or read.

Some say httphandles could be the solution for this.

Any thoughts?

MORE BACKGROUND INFO:

hi thx for all the comments. this is the problem, sometimes the sessions disappear without any reason (well there must be one but I don't know it yet). I've looked into the possible reasons but nothing that could cause it is happening. Therefore I cannot rely on it anymore. The cookie solution is a possibility but it will be more work to implement than simply using the querystring. The url can be copied at any time just not changed!

Cheers, M.

You'll have to encrypt it manually using one of the .Net encryptions. Really this isn't what the query string is for. If you don't want the users to be able to access it, you should find a different way of passing it between pages.

Here is a project that will show you how to do symmetric encryption. http://www.codeproject.com/KB/security/SimpleEncryption.aspx

Dare I mention this, because it will create significant overhead, but you can post your information in the view state and use cross page posts to pass the information around:

http://www.velocityreviews.com/forums/t119789-view-state-in-previous-page-using-cross-page-postback.html

I needed to do this and just for reference this was my chosen solution.

Use a HTTPModule to encrypt and decrypt. Then just put the module in the web.config.

Found it here: https://madskristensen.net/blog/httpmodule-for-query-string-encryption/

From the article:

What we need is an HttpModule that can turn the encrypted query string into a normal readable one, so that we can still use our old logic like Request.QueryString["user"]. In other words, we want the user to see this

?enc=VXzal017xHwKKPolDWQJoLACDqQ0fE//wGkgvRTdG/GgXIBDd1

while your code sees this

?user=123&account=456.

Sample code in the article has the module you would add.

How about adding the value you need to the Viewstate? Viewstate can encrypted and validated for you.

ViewState["myKey"] = "myValue";

and then later

string myValue = ViewState["myKey"]

To enable encryption:

<%@Page ViewStateEncryptionMode="Always" %>

or

<configuration>
   <system.web>
      <pages ViewStateEncryptionMode="Always" />
   </system.web>
</configuration>

Here is a project that will show you how to do symmetric encryption. http://www.codeproject.com/KB/security/SimpleEncryption.aspx

Dare I mention this, because it will create significant overhead, but you can post your information in the view state and use cross page posts to pass the information around:

http://www.velocityreviews.com/forums/t119789-view-state-in-previous-page-using-cross-page-postback.html