User-1134857695 posted
Sup! This has been haunting me for a while. I usually pass some Ids encrypted like this:
public class StringEncrypt : IEncrypt
{
public Func<string> GetUserID;
public StringEncrypt()
{
GetUserID = () => HttpContext.Current.User.Identity.GetUserId();
}
private string Purpose = "The authentication token is";
public string Protect(string unprotectedText)
{
var unprotectedBytes = Encoding.UTF8.GetBytes(unprotectedText);
var protectedBytes = MachineKey.Protect(unprotectedBytes, Purpose + GetUserID);
var protectedText = Convert.ToBase64String(protectedBytes);
return protectedText;
}
public string Unprotect(string protectedText)
{
var protectedBytes = Convert.FromBase64String(protectedText);
var unprotectedBytes = MachineKey.Unprotect(protectedBytes, Purpose + GetUserID);
var unprotectedText = Encoding.UTF8.GetString(unprotectedBytes);
return unprotectedText;
}
}
Then I check if there has been any tampering by running the unprotected method. Is this strong enough, or should I validate against it to see if the user is actually allowed to pass that data?
In other words, if I pass the row id 5, and encrypt it with the method, which would output a huge string. Is it possible for the user to send me a row id of 3? Thanks.
