User Tools

Site Tools


ColdFusion: Encrypting sensitive data in URL strings

This article was originally published on July 24, 2008.

On one of my current projects, I’ve found myself in need of passing sensitive data through a URL string. I could use an individual form for each link and pass it via POST, but I wanted to see what I might be able to do by way of encrypting the data. Turns out it’s quite easy.

We’re still running ColdFusion MX 6 here, so some of the newer functions are either crippled or nonexistent. Starting with MX 7, the Encrypt function can handle several different encryption algorithms. I’m stuck with ColdFusion’s own algorithm, which isn’t nearly as secure as AES. However, after a little bit of research, I discovered that it’s actually quite easy to encrypt a variable in your querystring data.

This is a four-step process:

  1. Create a 32-bit string which will be used as the encryption logarithm. I used a phrase, although I would imagine it would be more secure to include some special characters in there.
  2. Encrypt your data using the Encrypt function. This takes two parameters – the string you’re encrypting, and the string you’re using as your logarithm.
  3. Convert the encrypted string to Base64 so it can be used in your URL string, using the Base64 function. The Encrypt function converts your string into a mess of special characters, many of which are invalid in a URL.
  4. On the page that is processing the URL string, convert the encrypted value back to a string and decrypt it by nesting the ToBinary, ToString, and Decrypt functions.

Your final code will look something like this:

<!--- Encrypt String --->
<cfset Secret = 'Don''t tell anyone what this value is!'>
<cfset TheKey = 'This is my secret key phrase! 5-6-7-8, who do we appreciate?'>
<cfset Encrypted = Encrypt(Secret, TheKey)>
<cfset Secret64 = ToBase64(Encrypted)>
<!--- Decrypt String --->
<cfset UnlockedSecret = Decrypt(ToString(ToBinary(Secret64)), TheKey)>

Simple, huh? My encrypted values look something like JSQuTyoqWkwgCg==. However, depending on what you’re encrypting (numbers, a phrase, an alphanumeric code, etc.), your obfuscated value might look quite a bit different.

While you certainly should use extreme caution with highly sensitive data like bank account or social security numbers, this is a pretty quick and dirty method of obfuscating data that can’t be passed via POST in your application.