I work on a web-application that is written in C#/ASP.NET. The original framers of this application chose to use encrypted query strings and Viewstate to control the ‘security’ and ‘state’ of the application.
Having come from a GET/POST world before this, I don’t have a good basis for understanding why people would go through the trouble of encrypting query strings, when using POST for sensitive data (along with SSL) would achieve a similar level of security.
My question is: What are the advantages and disadvantages of using Encrypted Query Strings in ASP.NET? Is there a documented ‘best practice’ for this?
Edit: People tend to focus on Viewstate in this question. Don’t. Viewstate was mentioned only to give you a better idea to ascertain how ‘state’ was managed, since that is tangentially related to URLs. I never said Viewstate was encrypted. There really are two issues: 1) The Use of Viewstate, and 2) the Use of encrypted query strings. This question is focused on the latter. I hope that helps to clear up the focus of the question.
A reason why you might do something like this is to prevent tampering with the URL to get access to data other than your own. For example, if you have the url:
it wouldn’t be hard for me (or anyone) to change that to:
If your data access strategy relies entirely on what’s in the querystring, that could allow unauthorized access to data.
This approach does serve that purpose correctly, but a more robust way to get there is to actively check authorization within the application, and never rely exclusively on the URL for authentication and / or authorization purposes.
Note that this has nothing to do with SSL – that ensures privacy between the browser and server, but you can be under a perfectly secure connection and still tamper with the URL.