Dynamic key for querystring encryption

nathan724 1 Reputation point
2022-10-04T05:34:37.28+00:00

I read some examples regarding querystring encryption, like this one https://www.aspsnippets.com/Articles/Encrypt-and-Decrypt-QueryString-Parameter-Values-in-ASPNet-using-C-and-VBNet.aspx. However, all of those examples use a static key, which is either an constant string (probably just for the demo purpose) or is stored as a web configuration value.

I feel it should be safer to use a dynamic key - a random string that is generated at the beginning of a session and stored as a session variable. Am I on the right path, and is this a common practice?

Thank you.

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,240 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Zhi Lv - MSFT 32,046 Reputation points Microsoft Vendor
    2022-10-04T07:01:11.147+00:00

    Hi @nathan724 ,

    I feel it should be safer to use a dynamic key - a random string that is generated at the beginning of a session and stored as a session variable. Am I on the right path, and is this a common practice?

    Don't store sensitive data in session state. The session data is backed by a cache and considered ephemeral data. It might be lost. Besides, the user might not close the browser and clear the session cookie. Some browsers maintain valid session cookies across browser windows. A session might not be restricted to a single user. The next user might continue to browse the app with the same session cookie. So, it is not safe.

    To store the sensitive data, you can try to use the following methods:

    • Azure KeyVault
    • Azure Storage
    • Redis
    • SQL Server Database.

    Refer to Key storage providers in ASP.NET Core.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Dillion

    0 comments No comments

  2. Bruce (SqlWork.com) 57,891 Reputation points
    2022-10-04T15:11:54.99+00:00

    If you are using session, then keep the data in a session collection, and only pass the key in the query string.

    0 comments No comments