I have made an encryption of "auth" using AES as follows:
|<cfset skey = generateSecretKey("AES")>|
|<cfset regkey = encrypt("auth", skey, "AES", "hex")>|
I attached the result for example to an URL
(auth is assign regkey i.e. ,,,,,,htm?auth=#regkey#)
This works perfectly under perfect condition. However, if I go ahead and try to "hack" the code and make it shorter and change some characters like this:
The Decrypt function:
<cfset theword=decrypt(url.auth, skey, "AES", "hex")>
just crash! It throws an exception. Isn't it supposed to just return bad string rather than crashing? This is pretty bad.
Is there way to check for the URL.auth before passing to Decrypt? Thanks in advance.
If I may be so bold to ask.. Why are you passing the encryption key in a URL string??? Is this strictly for learning/practicing? You're not planning on doing that in a production environment, are you?
The CF9 docs don't say what is supposed to happen if the encrypted value is changed. Place that inside a try/catch and have the issue details emailed to you.
I am going to use it for at least couple things:
1. membership activation
2. email notifications i.e. when member received an email they will be notified and if they are signed in already, it will bring them to the message directly to reply
I tried try/catch but the exception is being intercepted by cferror
I think I misunderstood your original question. I was tired when I looked at your code samples.
If someone tries to change the encrypted URL parameters and error.cfm is NOT displaying anything other than a generic "something broke" message, but is emailing the details to the admin or developer, then there's really nothing to worry about.
As far as WHY that's happening, I don't know. The Adobe docs for it don't indicate what is supposed to happen if the encrypted value is altered.
I can't believe no one thought of this all these time and Adobe not knowing this. The Decrypt function should either return a decrypt string or return false if it can't do its job and not just throw an exception. There can be other messages associated with the function to explain what the exception is. This is very bad user experience.