User Tools

Site Tools


wiki:software:code:cfm:urlencrypt

ColdFusion: Encrypting sensitive data in URL strings

This article was originally published on July 24, 2008.

On one of my current projects, I’ve found myself in need of passing sensitive data through a URL string. I could use an individual form for each link and pass it via POST, but I wanted to see what I might be able to do by way of encrypting the data. Turns out it’s quite easy.

We’re still running ColdFusion MX 6 here, so some of the newer functions are either crippled or nonexistent. Starting with MX 7, the Encrypt function can handle several different encryption algorithms. I’m stuck with ColdFusion’s own algorithm, which isn’t nearly as secure as AES. However, after a little bit of research, I discovered that it’s actually quite easy to encrypt a variable in your querystring data.

This is a four-step process:

  1. Create a 32-bit string which will be used as the encryption logarithm. I used a phrase, although I would imagine it would be more secure to include some special characters in there.
  2. Encrypt your data using the Encrypt function. This takes two parameters – the string you’re encrypting, and the string you’re using as your logarithm.
  3. Convert the encrypted string to Base64 so it can be used in your URL string, using the Base64 function. The Encrypt function converts your string into a mess of special characters, many of which are invalid in a URL.
  4. On the page that is processing the URL string, convert the encrypted value back to a string and decrypt it by nesting the ToBinary, ToString, and Decrypt functions.

Your final code will look something like this:

<!--- Encrypt String --->
<cfset Secret = 'Don''t tell anyone what this value is!'>
<cfset TheKey = 'This is my secret key phrase! 5-6-7-8, who do we appreciate?'>
<cfset Encrypted = Encrypt(Secret, TheKey)>
<cfset Secret64 = ToBase64(Encrypted)>
 
<!--- Decrypt String --->
<cfset UnlockedSecret = Decrypt(ToString(ToBinary(Secret64)), TheKey)>

Simple, huh? My encrypted values look something like JSQuTyoqWkwgCg==. However, depending on what you’re encrypting (numbers, a phrase, an alphanumeric code, etc.), your obfuscated value might look quite a bit different.

While you certainly should use extreme caution with highly sensitive data like bank account or social security numbers, this is a pretty quick and dirty method of obfuscating data that can’t be passed via POST in your application.

Articles in this section

  • ColdFusion: Browser identification in web applicationsplugin-autotooltip__default plugin-autotooltip_bigColdFusion: Browser identification in web applications

    I’m really, annoyingly, obsessively anal about browser compatibility in web design. Even if you’re convinced that none of your users will ever touch Opera, there’s no reason to not make sure your site is usable in Opera…or Lynx, or IE 5.5, or anything else.
  • Internet Explorer and images as form input controlsplugin-autotooltip__default plugin-autotooltip_bigInternet Explorer and images as form input controls

    I like to provide clear visual or textual cues for an application. In the admin interface for one of my apps, I provide a pretty easy way of rejecting or accepting form submissions for a class – a red “X” to reject, and a green checkmark to accept. In order to pass these actions to the ColdFusion page on the server side and rely on
  • Coldfusion 8 and Microsoft SQL 2005 : @@IDENTITYplugin-autotooltip__default plugin-autotooltip_bigColdfusion 8 and Microsoft SQL 2005 : @@IDENTITY

    There’s a handy little query you can run in SQL to retrieve the identity (primary key) value of a record you just created. So, you can do something like this:

    INSERT INTO People ( Name ) VALUES ( 'Joe' ); SELECT @@IDENTITY AS NewName;
  • ColdFusion: Generating and parsing RSS feedsplugin-autotooltip__default plugin-autotooltip_bigColdFusion: Generating and parsing RSS feeds

    One of my current projects at work has an RSS requirement. I’m redesigning the university’s policies website. My customers are concerned that other departments at Purdue have previously copied the content of a policy and placed it on a different site, which is problematic when policies are revised, superseded, or retired.
  • ColdFusion: Encrypting sensitive data in URL stringsplugin-autotooltip__default plugin-autotooltip_bigColdFusion: Encrypting sensitive data in URL strings

    On one of my current projects, I’ve found myself in need of passing sensitive data through a URL string. I could use an individual form for each link and pass it via POST, but I wanted to see what I might be able to do by way of encrypting the data. Turns out it’s quite easy.cfm index