ASP.NET : Hide Querystring in URL

Question

I don't know if I'm just being overly hopeful, but is there a way to hide the query string returned in the URL?

The scenario I am in is where I have page1.aspx redirecting a command to an outside server via a post, and it returns it to page2.aspx. The only problem I have with this, is that the querystring of the returned variables are still left in the URL.

I just want to hide the ugly string/information from the common user. So is there a way to edit and reload that in the pageload method or do I just have to save the variables on a middleman page and then hit page 2.

Answer 1

It preserves Query String and Form Variables (optionally). It doesn’t show the real URL where it redirects the request in the users web browser. Server.Transfer happens without the browser knowing anything. The browser requests a page, but the server returns the content of another.

protected void btnServer_Click(object sender, EventArgs e)
{
    Server.Transfer("~/About.aspx?UserId=2");
}

Answer 2

I don't like this approach, but it will work.

Once you know you are where you need to be you can Response.Redirect to the same page and they will be gone.

Answer 3

Awhile back I made some http encoding encrypt/decrypt methods for this purpose. Sometimes in asp.net you need to use the query string, but you also need the end user to not know the value. What I do is base 64 encode, encrypt the value, hash the value based on my private key, and stick them together with a -. On the other side I check the left side hash to verify authenticity, and decrypt the right side. One really nice gotcha is that + (which is a valid base64 string value) is equal to space in html encoding, so I take that into account in the decrypt.

The way I use this is add the encrypted value to the query string, and then decrypt it on the other side

    private const string KEY = "<random value goes here>";

    public static string EncryptAndHash(this string value)
    {
        MACTripleDES des = new MACTripleDES();
        MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
        des.Key = md5.ComputeHash(Encoding.UTF8.GetBytes(KEY));
        string encrypted = Convert.ToBase64String(des.ComputeHash(Encoding.UTF8.GetBytes(value))) + '-' + Convert.ToBase64String(Encoding.UTF8.GetBytes(value));

        return HttpUtility.UrlEncode(encrypted);
    }

    /// <summary>
    /// Returns null if string has been modified since encryption
    /// </summary>
    /// <param name="encoded"></param>
    /// <returns></returns>
    public static string DecryptWithHash(this string encoded)
    {
        MACTripleDES des = new MACTripleDES();
        MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
        des.Key = md5.ComputeHash(Encoding.UTF8.GetBytes(KEY));

        string decoded = HttpUtility.UrlDecode(encoded);
        // in the act of url encoding and decoding, plus (valid base64 value) gets replaced with space (invalid base64 value). this reverses that.
        decoded = decoded.Replace(" ", "+");
        string value = Encoding.UTF8.GetString(Convert.FromBase64String(decoded.Split('-')[1]));
        string savedHash = Encoding.UTF8.GetString(Convert.FromBase64String(decoded.Split('-')[0]));
        string calculatedHash = Encoding.UTF8.GetString(des.ComputeHash(Encoding.UTF8.GetBytes(value)));

        if (savedHash != calculatedHash) return null;

        return value;
    }

Answer 4

You could possibly also use

Context.RewritePath("/foo.aspx")

Here's a link to a ScottGu blog post about URL rewriting.

http://weblogs.asp.net/scottgu/archive/2007/02/26/tip-trick-url-rewriting-with-asp-net.aspx

Answer 5

What is the origin of these querystring variables? Can you not submit all data as POST data, so that there is no querystring?