Way to Encrypt Cookies with ASP.NET

Cookies, most of the times, shouldn't be in plain text, at least, they should be tamper-proof! Revealing the content of your cookies might give curious and malicious people an idea about your application's architecture, and that might help hacking it.

Way 1:

ASP.NET encodes and hashes its authorization ticket, making it secure and tamper-proof. However, the methods used to secure authorization cookies are inaccessible from outside the .NET framework libraries, so you can't protect your own cookie using these methods; you need to protect it yourself using your own encryption key, encoding and hashing algorithms. HttpSecureCookie works around this by accessing the same methods ASP.NET uses for cookie authorization.

Using HttpSecureCookie is easy to encrypt the cookie information.

HttpCookie cookie = new HttpCookie("UserName", "Terminator");
cookie.Expires = DateTime.Now.AddDays(1);
HttpCookie encodedCookie = HttpSecureCookie.Encode(cookie);
Response.Cookies.Add(encodedCookie);

To decode an encoded cookie:

HttpCookie cookie = Request.Cookies["UserName"];
lblDisplayBefore.Text = cookie.Value;
HttpCookie decodedCookie = HttpSecureCookie.Decode(cookie);

Note: To use HttpSecureCookie on a web farm, you need to set the correct MachineKey configuration in Web.Config.

Way 2:

We can also secure our cookie by using HttpCookieEncryption class.

You basically reference the DLL or include the code in your project. The HttpCookieEncryption type was rooted into the System.Web namespace.

Simply make a call to HttpCookieEncryption.Encrypt to encrypt the specified cookie. Note that the second overload to Encrypt actually modifies the Response, whereas the first does not.

On the next request, you can decrypt the encrypted cookie by calling HttpCookieEncryption.Decrypt(). This retrieves the specified cookie and returns a new instance with the decrypted value. Neither of the Decrypt methods modify the cookie in the current Response.

HttpCookie myEncryptedCookie =
HttpCookieEncryption.Decrypt(this.Context,"myEncryptedCookie");
if(myEncryptedCookie==null)
{
HttpCookie test = Response.Cookies["myEncryptedCookie"];
test["key1"]="value1";
test["key2"]="value2";

HttpCookieEncryption.Encrypt(this.Context,"myEncryptedCookie");

HttpCookie decrypted = HttpCookieEncryption.Decrypt(this.Context,
"myEncryptedCookie");

if(test["key1"].Equals(decrypted["key1"]) &&
test["key2"].Equals(decrypted["key2"]))
else
// Never happen
}

Hope we could have got something about securing Cookies.

Comments

Post a Comment

Popular posts from this blog

Interview Questions to Ask the Employer

It's your turn! As the interview comes to a close, one of the final questions you may be asked is "What can I answer for you?" Have interview questions of your own ready to ask. You aren't simply trying to get this job - you are also interviewing the employer to assess whether this company and the position are a good fit for you. Here are questions to ask the interviewer so you can ensure the company is a good match for your qualifications and interests. How would you describe the responsibilities of the position? How would you describe a typical week/day in this position? Is this a new position? If not, what did the previous employee go on to do? What is the company's management style? Who does this position report to? If I am offered the position, can I meet him/her? How many people work in this office/department? How much travel is expected? Is relocation a possibility? What is the typical work week? Is overtime expected? What are the prospects for growth and a...
Read more

Place .NET DLL in GAC

Today other team guy has asked me help as he was facing some problem in trying to place a .NET DLL in GAC where he does not have source code with him. Potentially you just have to follow regular steps as mentioned below to place the DLL in GAC; 1. Generating the public key: Go to visualStudio.Net command prompt and type the following command: sn -k keyfile1.snk Here keyfile1.snk is the keyfile we are generating. You can store this key file in the bin folder of the assembly. In order to do this u have to go to the bin folder. For example: C:\foldername\assemblyname\bin sn-k keyfile1.snk By doing this the keyfile is stored in the bin folder. 2. Than place the keyfile into the Assembly. Go to AssemblyInfo.cs file: [assembly: AssemblyKeyFile("C:\foldername\assemblyname\keyfile1.snk")] 3. Then build the Assembly. 4. Placing the assembly into GAC This process is fine when you have source code with you. What if you don't have the source code with you and you need to put it to t...
Read more

Windows Communication Foundation - FAQ

Image
Difference between Web Service and WCF? Major Difference is That Web Services Use XmlSerializer But WCF Uses DataContractSerializer which is better in Performance as Compared to XmlSerializer. Key issues with XmlSerializer to serialize .NET types to XML Only Public fields or Properties of .NET types can be translated into XML. Only the classes which implement IEnumerable interface. Classes that implement the IDictionary interface, such as Hash table can not be serialized. The DataContractAttribute can be applied to the class or a strcture. DataMemberAttribute can be applied to field or a property and theses fields or properties can be either public or private. Web Services : 1.It Can be accessed only over HTTP 2.It works in stateless environment WCF : WCF is flexible because its services can be hosted in different types of applications. The following lists several common scenarios for hosting WCF services; IIS WAS Self-hosting Managed Windows Service Important difference ...
Read more