Encrypting Cookies in ASP.Net

6/6/2008

Have you ever wanted to be able to save sensitive information in a cookie without worrying about it being hacked. Well, you'll still have to worry as anything can be hacked given enough time but encrypting your cookies definitely make doing that a bit more annoying. To help do this on my own projects, I came up with a module to do this for me. Why an HttpModule and not just a utility class? Simple, I'm lazy and didn't want to have to put the code in more than one location.

   1: using System;
   2: using System.Collections.Generic;
   3: using System.Linq;
   4: using System.Text;
   5: using System.Web;
   6:  
   7: namespace Site
   8: {
   9:     class EncryptCookies:IHttpModule
  10:     {
  11:         #region IHttpModule Members
  12:  
  13:         public void Dispose()
  14:         {
  15:             
  16:         }
  17:  
  18:         public void Init(HttpApplication context)
  19:         {
  20:             context.AcquireRequestState += new EventHandler(context_AcquireRequestState);
  21:             context.EndRequest += new EventHandler(context_EndRequest);
  22:         }
  23:  
  24:         void context_EndRequest(object sender, EventArgs e)
  25:         {
  26:             HttpContext Context = ((HttpApplication)sender).Context;
  27:             HttpApplication Application = (HttpApplication)sender;
  28:             if (Application.Context.CurrentHandler is System.Web.UI.Page)
  29:             {
  30:                 foreach (string CookieName in Context.Response.Cookies.Keys)
  31:                 {
  32:                     if (!CookieName.Equals("ASP.NET_SessionId"))
  33:                     {
  34:                         if (Context.Response.Cookies[CookieName].Values.Count > 1)
  35:                         {
  36:                             for (int x = 0; x < Context.Response.Cookies[CookieName].Values.Keys.Count; ++x)
  37:                             {
  38:                                 Context.Response.Cookies[CookieName].Values[Context.Response.Cookies[CookieName].Values.Keys[x]] = //Encrypt the string here
  39:                             }
  40:                         }
  41:                     }
  42:                     else
  43:                     {
  44:                         Context.Response.Cookies[CookieName].Value = //Encrypt the string here
  45:                     }
  46:                 }
  47:             }
  48:         }
  49:  
  50:         void context_AcquireRequestState(object sender, EventArgs e)
  51:         {
  52:             HttpContext Context = ((HttpApplication)sender).Context;
  53:             HttpApplication Application = (HttpApplication)sender;
  54:             if (Application.Context.CurrentHandler is System.Web.UI.Page)
  55:             {
  56:                 foreach (string CookieName in Context.Request.Cookies.Keys)
  57:                 {
  58:                     if (!CookieName.Equals("ASP.NET_SessionId"))
  59:                     {
  60:                         if (Context.Request.Cookies[CookieName].Values.Count > 1)
  61:                         {
  62:                             for (int x = 0; x < Context.Request.Cookies[CookieName].Values.Keys.Count; ++x)
  63:                             {
  64:                                 Context.Request.Cookies[CookieName].Values[Context.Request.Cookies[CookieName].Values.Keys[x]] = //Decrypt the string here
  65:                             }
  66:                         }
  67:                         else
  68:                         {
  69:                             Context.Request.Cookies[CookieName].Value = //Decrypt the string here
  70:                         }
  71:                     }
  72:                 }
  73:             }
  74:         }
  75:  
  76:         #endregion
  77:     }
  78: }

The module uses two events, EndRequest (for encryption since it is the last event before the information is sent) and AcquireRequestState (called when the state is acquired for the current request). This allows us to encrypt the cookies at the latest possible time and decrypt them at the first possible chance that we're given. As such, you have nothing that you need to do, you add information to your cookies as normal and it does all the work.

There are two things that you need to do before you can use the item though.

  1. Add the encryption.
  2. Add the module to your web.config file.

I've discussed encryption before and it's really easy to add. And adding a module to your web.config file is also extremely easy (look here for an example). Other than that though, it's all there for you. So use the code, leave feedback, and happy coding.



Comments