Home/ Questions/Q 1071103
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T20:40:02+00:00

EDIT 1 : I think I was not clear myself before and hence could

  • 0

EDIT 1 : I think I was not clear myself
before and hence could not word it
better. So, I am creating a system
where I am providing page content to
another system via IFRAMEs. A user
will login to the other system and
that system will set their apiKey and
userKey in a cookie on my system so
that access will be granted into my
system. I want to encrypt these values
so that a malicious user cannot be
granted access into someone elses
sytem by modifying a value. Are there
good .NET standards for this type of
encryption/security? What do you
recommend I do in this scenario?

Hi all,
Firstly this might be asked before but I have never implemented hashing or encryption before so I just want to make sure that I put my point across clearly.I want to have some good idea of what needs to be done here.

I have couple of keys which are unique to the users and are being passed by client through the iframes and to maintain session we create cookies using these values for them.So, now I want encrypt or generate a hash for these values since they are visible in the url I dont want the users manipulating these values.

So, I guess I want to generate a hash for both the keys and display that in the browser in order to stop the users from entering some random values and try to abuse the system. I guess would store these hashed values in the database and then compare with original values.

Please just anyone guide me to the steps what all I need to do and what should I be using to achieve it.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Firstly if I understand your scenario correctly you don’t need a hash but you need an encryption of those keys. If you hash them you will never be able to read the original values back and create the session cookie. You are trying to implement a cross domain Single-Sign-On (if this is not your case and I misunderstood your scenario you could ignore the rest of my answer).

    I would recommend you using the machine keys to encrypt/decrypt:

    Encrypt:

    var ticket = new FormsAuthenticationTicket(
    1, // version
    "ticketName", // name of the ticket (it doesn't really matter here)
    DateTime.Now, // issue date
    DateTime.Now.AddMinutes(1), // validity of the ticket
    false, // should the ticket be persistent
    "key1=value1&key2=value2......" // values to encrypt, could be any string
);
string encrypted = FormsAuthentication.Encrypt(ticket);

    Now send the encrypted string over the wire and on the other hand decrypt. It is important to perform this over an encrypted channel using SSL to avoid a Man-In-The-Middle who can steal the encrypted value and try to brute force it:

    var ticket = FormsAuthentication.Decrypt(encrypted);
if (!ticket.Expired)
{
    // The ticket hasn't expired (< 1min) => use the values
    string keys = ticket.UserData;
    // TODO: Parse and issue cookie
}

    For this to work it is necessary to have the same machine keys on both the encrypting and the decrypting side.

    UPDATE:

    Here are the steps:

    1. The user is authenticated on System A (Domain 1)
    2. System A decides to include in an iframe System B (Domain 2) where the user is not authenticated
    3. System A generates an encrypted string containing user information using machine keys
    4. System A sends to System B (via the src property of the iframe) this encrypted value
    5. System B reads and decrypts the encrypted value containing the user information
    6. System B issues an authentication cookie to indicate that the user is now authenticated on Domain 2
    7. System B shows the authenticated content to the user

    You have achieved cross domain single sign on. Of course this technique is not limited to iframes.

    • 0