Creating Expiring Web Pages :: Page B

This page is the "receiving" page. You shouldn't be able to see this page's content unless you came through PageA.aspx. Furthermore, if you attempt to refresh this page 15 seconds or later from now, the page will display an error, informing you that the link has "expired."


ERROR: No time value was passed in the querystring


Source Code
<h2><asp:Label runat="server" id="msg" /></h2>

<script runat="server" language="VB">
  Sub Page_Load(sender as Object, e as EventArgs)
    'Make sure the Time is provided
    Dim t as String = Request.QueryString("Time")
    If t is Nothing OrElse t.Length = 0 Then
      Msg.Text = "ERROR: No time value was passed in the querystring"
      Msg.ForeColor = System.Drawing.Color.Red
    Else
      'Make sure the digest matches up
      EnsureURLNotTampered(String.Format("Time={0}", Request.QueryString("Time")))

      'Finally, make sure that the time is within the 'legal' window
      Dim reqTime As DateTime = DateTime.ParseExact(Request.QueryString("Time"), _
           "yyyyMMddHHmmss", System.Globalization.DateTimeFormatInfo.InvariantInfo)
      
      Dim RequestWindowInSeconds as Integer = 15
      If Math.Abs(reqTime.Subtract(DateTime.Now).TotalSeconds) > RequestWindowInSeconds Then
        Msg.Text = "ERROR: Link is stale!"
        Msg.ForeColor = System.Drawing.Color.Red
      Else
        Msg.ForeColor = System.Drawing.Color.Black
        Msg.Text = "Congrats, this is the protected message!"
      End If
    End If
  End Sub
  
'The secret salt...
Private Const SecretSalt = "H3#@*ALMLLlk31q4l1ncL#@RFHF#N3fNM><#WH$O@#!FN#LNl33N#LNFl#J#Y$#IOHhnf;;3qrthl3q"

Sub EnsureURLNotTampered(tamperProofParams as String)
  'Determine what the digest SHOULD be
  Dim expectedDigest as String = GetDigest(tamperProofParams)
  
  'Any + in the digest passed through the querystring would be convereted into
  'spaces, so 'uncovert' them
  Dim receivedDigest as String = Request.QueryString("Digest")
  If receivedDigest Is Nothing Then
    'Oh my, we didn't get a Digest!
    Response.Write("YOU MUST PASS IN A DIGEST!")
    Response.End()
  Else
    receivedDigest = receivedDigest.Replace(" ", "+")
    
    'Now, see if the received and expected digests match up
    If String.Compare(expectedDigest, receivedDigest) <> 0 Then
      'Don't match up, egad
      Response.Write("THE URL HAS BEEN TAMPERED WITH.  I PITY THE FOOL WHO TAMPERS WITH THE URL!")
      Response.End()
    End If
  End If
End Sub

Function GetDigest(tamperProofParams as String) as String
  Dim Digest as String = String.Empty
  Dim input as String = String.Concat(SecretSalt, tamperProofParams, SecretSalt)
    
  'The array of bytes that will contain the encrypted value of input
  Dim hashedDataBytes As Byte()

  'The encoder class used to convert strPlainText to an array of bytes
  Dim encoder As New System.Text.UTF8Encoding

  'Create an instance of the MD5CryptoServiceProvider class
  Dim md5Hasher As New System.Security.Cryptography.MD5CryptoServiceProvider

  'Call ComputeHash, passing in the plain-text string as an array of bytes
  'The return value is the encrypted value, as an array of bytes
  hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(input))

  'Base-64 Encode the results and strip off ending '==', if it exists
  Digest = Convert.ToBase64String(hashedDataBytes).TrimEnd("=".ToCharArray())
  
  Return Digest
End Function  
</script>


[Back to the article...]