I am interested to know if anyone has secured the http query string by encrypting it. Any pointers and suggestions are highly appreciated. Thanks.
Can you use POST the data in a form?
(instead of HTTP GET)
Just a thought - if you absolutely have to GET then perhaps you could use real encryption and put the RSA private key in the session? Or maybe you could use the Vernum cypher as a "munition-free" approach...
But Sean is right, POST is better (it also stops the bookmarking of URLs).
I've experienced that the screens transition with HTTP POST was not smooth. There was something flased for fraction of a second before the next screen was rendered. Have you experienced the same thing? Thanks.
Not sure why it would specifically affect POST, but I believe you can regulate page flashing by controlling when the response is flushed.
We've encrypted data within a query string using public key encryption together with base 64 encoding. The encryption and decryption, and handling of the public / private keys was application specific.
I don't see how you could successfully enrypt the entire query string in this fashion as the result is not really a query string anymore (and therefore doesn't comply with the HTTP spec).
You are right, I didn't mean encrypting the entire query string, instead the data in the query string. Could you please share a bit more about your implementation and point me to some API references? Thanks for your help!
I'm not sure if our model is exactly what you require. We're just using a digital signature to verify a particular HTTP request came from a trusted source.
We generate a public and private key pair (the algorithm you choose will depend on what's supported by your JRE).
Have a look at the following classes for more information on working with public / private keys using digital signatures:
If you actually want to encrypt, and decrypt, data then have a look at the javax.crypto package. We don't do this but I think it's similar to the digital signatures.
Our digital signature is encoded into the query string using base 64 encoding.
We use sun.misc.BASE64Decoder and sun.misc.BASE64Encoder to do the base 64 encoding, although the use of these internal Sun classes is frowned upon!
Try QueryCrypt - It's recently open sourced
QueryCrypt from Aveda Techynology