How to decrypt a URL

Report · Oct 16, 2012

I encrypted a url that i would like to pass to another page, but can't seem to get it to decrypt it. This is the first time i am using this technic, so i might not be doing it right. Just been reading alot of the examples on the web and can't get it to work for me.

== Encrypted ==

<h3>URLEncodedFormat Example</h3>

theKey=generateSecretKey("AES");

encrypted=encrypt(#qEdit.PersonID#, theKey, "AES", "HEX");

</cfscript>

<a href="##" onclick="MM_openBrWindow('test2.cfm?Picture=#encrypted#','','resizable=yes,width=500,height=500')">Test Encode</a>

</cfoutput>

The encryption works fine in the url, but now i'm not sure how to decrypt it on my other page.

Report · Oct 17, 2012

you can easily do so, please check this article

http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_c-d_40.html

Report · Oct 18, 2012

You'll need to either save "theKey" to a session variable or pass it along in the URL.

If session variable:

decrypted = decrypt(url.Picture,session.varName,algorithm,enc);

If URL param:

decrypted = decrypt(url.Picture,url.varName,algorithm,enc);

^_^

Report · Oct 18, 2012

If you are doing this for security then "or pass it along in the URL" is terrible advice, please don't follow it. Sorry WolfShade.

Create the key onSessionStart() and store it in the session scope, then you can reuse it throughout the site as needed.

Jason

Report · Oct 19, 2012

I agree with 12Robots that you should never send your key by URL. That is equivalent to publishing it, and therefore defeats the whole purpose of the encryption.

There are 2 choices. Store the key as a client variable or as a session variable. I prefer session, because it involves just memory. (It's difficult to guess what someone's thinking!)

As 12Robots has said, the usual place to define session variables is in onSessionStart. Here, ColdFusion sets one value in memory for the entire user session. However, I think the requirements of the original post are not that simple.

You will have to store the PersonID and encrypted string in session scope, as you will need these values for validation later. Also, the URL has a dynamic part, namely, Picture=#encrypted#. This tells me there may be 2 or more Picture values per session. If so, then these session variables should be defined on the page itself, for example

session.theKey=generateSecretKey("AES");

session.personID=qEdit.PersonID;

session.encrypted=encrypt(session.personID, session.theKey, "AES", "HEX");

</cfscript>

<a href="##" onclick="MM_openBrWindow('test2.cfm?Picture=#session.encrypted#','','resizabl e=yes,width=500,height=500')">Test Encode</a>

</cfoutput>

This defines a new key each time the current page is opened. I would then expect the validation on test2.cfm to jog like this

success

failure

</cfif>