Encrypt Information Displayed in Address Bar

[agoyal2]

I have an ASP application which emails links to the users, which the users can click to access previously entered information by them. The link looks like

http://www.myserver.com/WebForm.asp?id=532&data2=abcde

Now, my problem is, if some other user types out the above URL in the browser address bar and changes the id, he can see other user's information.

Therefore, I want to send encrypted links to users which can be decrypted in my ASP before i display information. When i tried an encryption algorithm i got something like:

http://www.myserver.com/WebForm.asp?id=ytE*6#32^%rye

Now the problem here is, i can still play with the three characters (trying different random combinations) immediately after "id" and get to others pages.

 

[Sheco]

Why not have a Login page that sets a cookie or a session variable.

Then make a little INCLUDE file that holds the code to check for this cookie or session variable and include it on every sensitive page. If the values cannot be read, redirect the user to the Login page.

 

[agoyal2]

Thanks... I found out the solution. I was missing the use of Server.URLEncode which transformed my string to a completely secure form.

 

[Sheco]

No, any user could copy that string and use it... it just would be hard to remember or guess.