Re: Querystring hash?

From: Kim Bach Petersen (msnews@kensho.dk)
Date: 02/13/03


From: "Kim Bach Petersen" <msnews@kensho.dk>
Date: Thu, 13 Feb 2003 10:33:57 +0100


> You can
> then generate an encryption-key based on the username and/or
> sessionid to make sure, that the link/querystring is only valid for
> the current user in the current session.

I forgot the sample code: this will make a 256-bit key from username and
SessionId (or any other string):

Dim Hasher As New SHA256Managed()
Dim arrKeystring() As Byte
Dim strKeybase As String = Page.User.Identity.Name & Session.SessionId
arrKeystring = New System.Text.UTF8Encoding().GetBytes(strKeybase)
clientRijndael.Key = Hasher.ComputeHash(arrKeystring)

Just to make the picture complete: Some browsers re-uses a sessionid, that
is you can sign out and back in and the sessionid doesn't change. In our
scenario that means that if the key is based on sessionid only, all users of
the same browser instance will get access. To avoid this one could make a
key based on both username and sessionid (as above) or simply force a new
sessionid by deleting the old one at signout:

Response.Cookies("ASP.NET_SessionId").Value = Nothing

Kim :o)