locked
Encrypt and Decrypt query-string RRS feed

  • Question

  • User1728579415 posted

    Hello,
    Our application which is enterprise MVC application has 100s of controllers, models and views and huge code base.
    We are working on EU-GDPR requirements in which we are trying to safeguard person information from query-string like SSN, Name etc.
    Is there any product or library from MS which can help us in doing this?
     
    We done POC with two scenarios but we didn't figure out which we have to pick for the implementation.
     
    Scenario One :
     
    We created our HTTP module and on each request we are encrypting and decrypting the query string values.
     
    public void Init(HttpApplication context)
    {
       context.BeginRequest += new EventHandler(OnBeginRequest);
       context.EndRequest += new EventHandler(OnEndRequest);
    }
     
    private static void OnBeginRequest(object sender, EventArgs e)
    {
      //Decrypt Here
    }
     
     
    private static void OnEndRequest(object sender, EventArgs e)
    {
      //Encrypt Here
    }
     
     
    Scenario Two:
     
    We created our HTTP module and on each request we are encrypting the query string values.
     
    public void Init(HttpApplication context)

       context.EndRequest += new EventHandler(OnEndRequest);
    }
     
    private static void OnEndRequest(object sender, EventArgs e)
    {
      //Encrypt Here
    }
     
     
    We created our custom value provider to decrypt the values.
     
    public class CustomValueProvider : IValueProvider
    {
      public bool ContainsPrefix(string prefix)
       {
                    //Decrypt Here 
       }
     
        public ValueProviderResult GetValue(string key)
        {    }
    }
     
    public class CustomValueProviderFactory : ValueProviderFactory
    {
        public override IValueProvider GetValueProvider(ControllerContext controllerContext)
        {
            return new CustomValueProvider();
        }
    }
     
    Considering the above scenarios which solution is recommended to use as per Microsoft guidelines?

    Friday, December 15, 2017 5:37 AM

All replies

  • User61956409 posted

    Hi DhananjayR,<o:p></o:p>

    If all Query String need to be encrypted and decrypted in your application, I prefer your first approach:  encrypt&decrypt Query String globally via a custom HTTP module, which can avoid writing code again and again. <o:p></o:p>

    On the other hand, your second approach: creating custom value provider for Query String decryption can provide a flexible and convenient way to decrypt Query String, if you need to do decryption in your controller actions.<o:p></o:p>

    With Regards, <o:p></o:p>

    Fei Han<o:p></o:p>

    Monday, December 18, 2017 8:29 AM