September 08, 2015

Avoiding Issues with DNN EncryptParameter

Working with DNN extension development we often need to share information from page-to-page or other locations within our application and we want to do so in a secure manner.  For the longest time DNN has contained a handy set of methods in the UrlUtils namespace, EncryptParameter and DecryptParameter.  They are easy to use, but just recently I have uncovered a very unusual situation that resulted in an error.  Funnily enough, this code has been running in production for more than 5 years!

Before Code

If you follow the examples and based on the fact that the code we are calling is part of the UrlUtils class we would expect all to correct.  Regardless usage is simple.

//To send along
var toEncrypt = "My Secure Value";
var encrypted = UrlUtils.EncryptParameter(toEncrypt);
Response.Redirect("~/Test.aspx?MyValue=" + encrypted);

//To retrieve
var fromUrl= Request.QueryString["MyValue"];
var decrypted = UrlUtils.DecryptParameter(fromUrl);

Logically speaking this should work right? I mean the API is aware of the fact that we are working with URL's and encryption? Well it does, 99.9% of the time, however in recent versions of DNN I have been seeing more reports of issues.

The Fix

Luckily the fix is quite simple, you need to manage your own encoding & decoding for the URL. It just adds a bit of time to the process. The following example works well.

//To send along
var toEncrypt = "My Secure Value";
var encrypted = UrlUtils.EncryptParameter(toEncrypt);
Response.Redirect("~/Test.aspx?MyValue=" + Server.UrlEncode(encrypted));

//To retrieve
var fromUrl= Server.UrlDecode(Request.QueryString["MyValue"]);
var decrypted = UrlUtils.DecryptParameter(fromUrl);

All we added was a simple Server.UrlEncode and Server.UrlDecode call to the two methods. Now our code is back to working as desired! Hope this helps!

tags: DNN, DNN Development, Quick Tips
comments powered by Disqus

Content provided in this blog is provided "AS-IS" and the information should be used at your own discretion.  The thoughts and opinions expressed are the personal thoughts of Mitchel Sellers and do not reflect the opinions of his employer.

Content Copyright

Content in this blog is copyright protected.  Re-publishing on other websites is allowed as long as proper credit and backlink to the article is provided.  Any other re-publishing or distribution of this content is prohibited without written permission from Mitchel Sellers.