Uses For Encrypted ID's in Query Strings

Question

5.00/5 (1 vote)

See more:

The short version of this is that I want you to give me ideas on how to use a technique I came up with that I want to write a tip/trick on. The long version follows...

When you visit http://www.youtube.com/watch?v=K2cYWfq--Nw, you'll see a video for "daft hands". YouTube uses the video ID ("K2cYWfq--Nw" in this case) to identify which video to serve up. My idea is basically to attach some uniquely identifying information to that ID.

For example, YouTube requires you to login to view mature content. If YouTube combined the video id ("K2cYWfq--Nw") with the user ID ("AwesomezorTuber5"), they'd be able to identify both the video and the user (so the URL becomes "http://www.youtube.com/watch?v=K2cYWfq--Nw.AwesomezorTuber5"). If that entire query string value were then encrypted using a password known only to YouTube, the user would not be able to pass on the link with a modified user ID (the new URL would look like "http://www.youtube.com/watch?v=SDLKJ23lkljls234l2-lsdf23SLkg231ff119GEls" for AwesomezorTuber5 but would look like "http://www.youtube.com/watch?v=slL43lSlk4kLGJELxllf469LSDJ35l5lGi2346lhSR" or UserXtraTubeface). The user would not even know their user ID is part of the URL, and this would allow YouTube to track the originator of a video that gets passed on to others.

I want to make a tip/trick for this idea, but this idea is pretty useless unless I find a way to use it, so that's what I'm asking you... to provide me with some ideas for how to use this idea. I am only using YouTube as a convenient example... this idea could apply to any website that makes use of query strings. Finally, I'm not looking for one idea here... any and all ideas are welcome.

Posted 18-Dec-10 23:56pm

AspDotNetDev

Add a Solution

Comments

AspDotNetDev 19-Dec-10 6:10am

To get things started, one idea is to use this as a replacement for cookies so that session can be enabled. This feature already exists, but it exposes the ID in the URL so that if the URL gets passed on to others, they appear to be on the same machine (that could cause all kinds of problems). By encrypting the session id along with some other information about the machine (e.g., ip address), it would make the URL useless to other machines that don't match the encrypted information while enabling cookie-like storage of the session ID. Still not sure if that idea is that feasible though (e.g., many computers share the same external ip address when they are inside a company).

Sandeep Mewara 19-Dec-10 7:42am

Is this important/part of the plan: "to track the originator of a video that gets passed on to others"?

AspDotNetDev 19-Dec-10 18:33pm

Not necessarily. That just seems like one of the possible uses.

AspDotNetDev 19-Dec-10 23:52pm

Note that I'm not looking for implementation details, as that is a solved problem (http://nayyeri.net/how-to-encrypt-query-string-parameters-in-asp-net). I'm looking for ideas of how to use my idea, which is not simply encrypting query strings (it has the addition of forcing certain identifying information to be in the query string).

thatraja 14-Jan-11 22:59pm

Good one dude, if possible please post a blog/Tip-Trick about this one. 5!

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

AspDotNetDev · Answer 1 · 2011-01-14T18:09:00

Just thought I'd add that I just came up with another idea (it supplements the cookie/session idea I noted in a comment above). If I include the IP address in the encrypted value, that would make it tied to that computer fairly uniquely, although not perfectly uniquely (because multiple computers behind a router can have the same IP address, so the person could IM the link to their coworker for example and the server might mix the two computers up). One way to mitigate that risk is to add the current date/time to the value. On each postback, the new date/time would be used (perhaps performing a redirect). If the date/time in the value is older than, say, 20 minutes, the server would consider it a bad request (so it would be similar to an expired session). To sum things up so far, the encrypted value would contain this information:

A GUID.
The user's IP address.
The current date/time (of each web request).

Maybe I could even add other unique information about the computer, such as the browser version. The more unique information, the less likely the URL can be used on another user's computer.

Oh, and one more idea. If I use AJAX, I can make the expiration duration even more frequent (say, every 10 seconds), because I can make asyncronous server requests periodically without interrupting the user with a full postback. The posback URL can then be modified to use the most frequent encrypted value (which would be stored in a JavaScript variable). This would make the solution even more secure (though less stable, as a temporary interruption of network availability would cause the user to have to start over).