Cookies provide convenience for both visitors and programmers in Web applications. However, there are security issues. First, cookie data is transparently transmitted in the headers of HTTP requests and responses. That is to say, smart people can clearly see the data.
. Second, cookie data is stored in the cache directory of the browser's computer in the format of cookie files, which contains information about webpages, passwords, and other user behaviors, you can open the cookie file as long as you enter the hard disk. Figure 1 shows the content of a cookie file: If you have not noticed that your machine has a cookie file, you can view it in the following ways: Open IE and select "Internet Options" in the "Tools" menu ", then, click the "Settings" button in the pop-up dialog box and click the "View" button in the Setting Dialog Box to open a window showing all the cached data stored in the browser on the hard disk, there are a large number of cookie files. Therefore, we recommend that you do not store sensitive user data in cookies or use encryption to protect the data. In the previous ASP versions, encryption is not available. Currently, the. NET architecture provides many encryption classes in the system. Security. cryptography namespace. 1... Net password system overview To put it simply, encryption is the process of converting the original character (byte) string into a completely different string, so that the original character cannot be decrypted. This processing process uses another string (called the "key") to take a complex, mixedAlgorithm, "Tamping" the original string. Sometimes a string called an "initial vector" is used to disrupt the target string before the key is merged to prevent obvious content in the target string from being identified. The encryption effect depends on the size of the key used. The longer the key, the stronger the confidentiality. Typical key lengths include 64-bit, 128-bit, 192-bit, 256-bit, and 512-bit. The only method for attackers is to createProgramTry every possible key combination, but the 64-bit key also has 72,057,594,037,927,936 combinations. There are currently two encryption methods: symmetric encryption (or private key) and asymmetric encryption (or public key ). A private key must be used on both sides of symmetric encryption technology's data exchange (I .e., the encryption and decryption parties. In asymmetric encryption technology, a public key is required for decryption to the encryption party. After the encryption party establishes a public key to the decryption party, it creates a unique private key with the public key. The encryption party uses the private key to encrypt the information sent, and the other party uses the public key to decrypt the information. SSL, which protects HTTP Transmission Security, uses asymmetric technology. We use symmetric encryption to encrypt cookie data .. Net Framework extends four algorithms from the basic symmetricalgorithm class: · System. Security. cryptography. Des · System. Security. cryptography. tripledes · System. Security. cryptography. RC2 · System. Security. cryptography. Rijndael The following describes the DES and tripledes algorithms. The key size of DES is limited to 64 bits, but it is valid for Cookie encryption. Tripledes performs three-step encryption and has a large number of key digits, so it is safer. The encryption strength and cookie size must be considered when using this algorithm. Because the encrypted cookie data will increase, and the larger the key, the larger the encrypted data. However, the cookie data size is limited to 4 kb, which is an issue that must be considered. In addition, the more encrypted data or the more complicated the algorithm, the more server resources will be occupied, thus slowing down the access speed of the entire site. 2. Create a simple encryption application class All encryption and decryption of. NET are processed by the cryptostream category. It is derived from system. Io. stream and uses the string as the data stream-based model for encryption and conversion. Below is a simple encryption application classCode: Imports system. Diagnostics Imports system. Security. Cryptography Imports system. Text Imports system. Io Public class cryptoutil 'Randomly Select 8 bytes as both the key and initial vector Private shared key_64 () as byte = {42, 16, 93,156, 78, 4,218, 32} Private shared iv_64 () as byte = {55,103,246, 79, 36, 99,167, 3} 'Use a 24-byte or 192-bit key and initial vector for tripledes. Private shared key_192 () as byte = {42, 16, 93,156, 78, 4,218, 32 ,_ 15,167, 44, 80, 26,250,155,112 ,_ 2, 94, 11,204,119, 35,184,197} Private shared iv_192 () as byte = {55,103,246, 79, 36, 99,167, 3 ,_ 42, 5, 62, 83,184, 7,209, 13 ,_ 145, 23,200, 58,173, 10,121,222} 'Standard DES encryption Public shared function encrypt (byval value as string) as string If value <> "" then Dim cryptoprovider as descryptoserviceprovider = _ New descryptoserviceprovider () Dim MS as memorystream = new memorystream () Dim CS as cryptostream = _ New cryptostream (MS, cryptoprovider. createencryptor (key_64, iv_64 ),_ Cryptostreammode. Write) Dim SW as streamwriter = new streamwriter (CS) Sw. Write (value) Sw. Flush () CS. flushfinalblock () Ms. Flush () 'Then converts it to a string Return convert. tobase64string (Ms. getbuffer (), 0, ms. length) End if End Function 'Standard des decryption Public shared function decrypt (byval value as string) as string If value <> "" then Dim cryptoprovider as descryptoserviceprovider = _ New descryptoserviceprovider () 'Convert from string to byte Group Dim buffer as byte () = convert. frombase64string (value) Dim MS as memorystream = new memorystream (buffer) Dim CS as cryptostream = _ New cryptostream (MS, cryptoprovider. createdecryptor (key_64, iv_64 ),_ Cryptostreammode. Read) Dim SR as streamreader = new streamreader (CS) Return Sr. readtoend () End if End Function 'Triple DES encryption Public shared function encrypttripledes (byval value as string) as string If value <> "" then Dim cryptoprovider as tripledescryptoserviceprovider = _ New tripledescryptoserviceprovider () Dim MS as memorystream = new memorystream () Dim CS as cryptostream = _ New cryptostream (MS, cryptoprovider. createencryptor (key_192, iv_192 ),_ Cryptostreammode. Write) Dim SW as streamwriter = new streamwriter (CS) Sw. Write (value) Sw. Flush () CS. flushfinalblock () Ms. Flush () 'Then converts it to a string Return convert. tobase64string (Ms. getbuffer (), 0, ms. length) End if End Function 'Triple des decryption Public shared function decrypttripledes (byval value as string) as string If value <> "" then Dim cryptoprovider as tripledescryptoserviceprovider = _ New tripledescryptoserviceprovider () 'Convert from string to byte Group Dim buffer as byte () = convert. frombase64string (value) Dim MS as memorystream = new memorystream (buffer) Dim CS as cryptostream = _ New cryptostream (MS, cryptoprovider. createdecryptor (key_192, iv_192 ),_ Cryptostreammode. Read) Dim SR as streamreader = new streamreader (CS) Return Sr. readtoend () End if End Function End Class We initialize a group of bytes as the key and use a numerical constant. If you do this in practice, these bytes must be between 0 and 255, this is a range value allowed by a byte. 3. Create a cookie application class Next we will create a simple class to set and obtain cookies. Public class cookieutil 'Set cookie ************************************* **************** 'Settripledesencryptedcookie (only for key and cookie data) Public shared sub settripledesencryptedcookie (byval key as string ,_ Byval value as string) Key = cryptoutil. encrypttripledes (key) Value = cryptoutil. encrypttripledes (value) Setcookie (Key, value) End sub 'Settripledesencryptedcookie (added the cookie Data Validity Period parameter) Public shared sub settripledesencryptedcookie (byval key as string ,_ Byval value as string, byval expires as date) Key = cryptoutil. encrypttripledes (key) Value = cryptoutil. encrypttripledes (value) Setcookie (Key, value, expires) End sub 'Setencryptedcookie (only for key and cookie data) Public shared sub setencryptedcookie (byval key as string ,_ Byval value as string) Key = cryptoutil. Encrypt (key) Value = cryptoutil. Encrypt (value) Setcookie (Key, value) End sub 'Setencryptedcookie (added the cookie Data Validity Period parameter) Public shared sub setencryptedcookie (byval key as string ,_ Byval value as string, byval expires as date) Key = cryptoutil. Encrypt (key) Value = cryptoutil. Encrypt (value) Setcookie (Key, value, expires) End sub 'Setcookie (only for key and cookie data) Public shared sub setcookie (byval key as string, byval value as string) 'Encoding part Key = httpcontext. Current. server. urlencode (key) Value = httpcontext. Current. server. urlencode (value) Dim cookie as httpcookie Cookie = new httpcookie (Key, value) Setcookie) End sub 'Setcookie (added the cookie Data Validity Period parameter) Public shared sub setcookie (byval key as string ,_ Byval value as string, byval expires as date) 'Encoding part Key = httpcontext. Current. server. urlencode (key) Value = httpcontext. Current. server. urlencode (value) Dim cookie as httpcookie Cookie = new httpcookie (Key, value) Cookie. expires = expires Setcookie) End sub 'Setcookie (for httpcookie only) Public shared sub setcookie (byval cookie as httpcookie) Httpcontext. Current. response. Cookies. Set (cookie) End sub 'Obtain the cookie ************************************* **************** Public shared function gettripledesencryptedcookievalue (byval key as string )_ As string 'Encrypt the key only Key = cryptoutil. encrypttripledes (key) 'Get cookie value Dim value as string Value = getcookievalue (key) 'Decrypt the cookie value Value = cryptoutil. decrypttripledes (value) Return Value End Function Public shared function getencryptedcookievalue (byval key as string) as string 'Encrypt the key only Key = cryptoutil. Encrypt (key) 'Get cookie value Dim value as string Value = getcookievalue (key) 'Decrypt the cookie value Value = cryptoutil. decrypt (value) Return Value End Function Public shared function getcookie (byval key as string) as httpcookie 'Encoding key Key = httpcontext. Current. server. urlencode (key) Return httpcontext. Current. Request. Cookies. Get (key) End Function Public shared function getcookievalue (byval key as string) as string Try 'Encoding is completed in getcookie 'Get cookie value Dim value as string Value = getcookie (key). Value 'Decodes the stored value Value = httpcontext. Current. server. urldecode (value) Return Value Catch End try End Function End Class In the preceding settings, some additional functions provide the cookie validity period parameter. If this parameter is not set, the cookie is saved in memory only for browser sessions. To set a permanent cookie, you need to set the validity period parameter. We have encoded and decoded the key and cookies. The reason is that cookies have the same restrictions as URLs. The characters "=" and ";" are retained and cannot be used. This is especially important when saving the encrypted data, because the encryption algorithm will add "=" to fill the data block with the size of the allocated block. Okay. Will you protect cookies? |
