Dynamic key for querystring encryption

Question

I read some examples regarding querystring encryption, like this one https://www.aspsnippets.com/Articles/Encrypt-and-Decrypt-QueryString-Parameter-Values-in-ASPNet-using-C-and-VBNet.aspx. However, all of those examples use a static key, which is either an constant string (probably just for the demo purpose) or is stored as a web configuration value.

I feel it should be safer to use a dynamic key - a random string that is generated at the beginning of a session and stored as a session variable. Am I on the right path, and is this a common practice?

Thank you.

Answer 1

Hi @nathan724 ,

I feel it should be safer to use a dynamic key - a random string that is generated at the beginning of a session and stored as a session variable. Am I on the right path, and is this a common practice?

Don't store sensitive data in session state. The session data is backed by a cache and considered ephemeral data. It might be lost. Besides, the user might not close the browser and clear the session cookie. Some browsers maintain valid session cookies across browser windows. A session might not be restricted to a single user. The next user might continue to browse the app with the same session cookie. So, it is not safe.

To store the sensitive data, you can try to use the following methods:

• Azure KeyVault
• Azure Storage
• Redis
• SQL Server Database.

Refer to Key storage providers in ASP.NET Core.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Dillion

Answer 2

If you are using session, then keep the data in a session collection, and only pass the key in the query string.