This smells similar to a problem someone else posted about recently where they were using trim() on the key, tampering with it just enough (removing meaningful whitespace) to make it no longer work. URLEncode/Decode may do something similar.
However, I would very strongly suggest not sending your encryption key in any format to the browser or anyone's email account. It makes more sense to generate a random "once time use token", store that in the DB, then send that to the user via email - no crypto needed. Once the token is used to reset the password, remove it form the DB. Additionally you could time that token out after a day (or less) so it can't be floating around out there forever. -Cameron On Tue, Sep 6, 2011 at 8:59 AM, Greg Morphis <[email protected]> wrote: > I'm trying to encrypt a string with encrypt and generatesecretkey.. > I'm passing the string as a URL variable and then trying to decrypt > the string. I'm getting errors like > * An error occurred while trying to encrypt or decrypt your input > string: Input length must be multiple of 8 when decrypting with padded > cipher. > * The key specified is not a valid key for this encryption: Invalid > key length: 7 bytes. > > I'm using it to allow users to reset their passwords. > What's weird is that the code works the majority of the time. We only > see the error every now and then. > > What I do is on the forgot page I generate a secret key and then I > encrypt the user's ID and then URLEncode them to pass within a link. > > <cfset sk = GenerateSecretKey("DES") /> > <cfset id = encrypt(member.new_id, sk ,"DES","Base64")> > > <cfset sk = URLEncodedFormat(sk) /> > <cfset id = URLEncodedFormat(id) /> > > The link is sent to the user and the user clicks on it and is taken to > the reset page > > I pass the values in a form > <input type="hidden" name="sk" value="<cfoutput>#url.sk#</cfoutput>" > /> > <input type="hidden" name="id" value="<cfoutput>#url.id#</cfoutput>" > /> > > And then I decrypt the string so I can find the user's ID: > <cfset myid = decrypt(urldecode(form.id),urldecode(form.sk),"DES","Base64") > /> > > So why is this generating an error sometimes? -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook <http://www.facebook.com/cameroncf> | twitter<http://twitter.com/cameronc> | google+ <https://profiles.google.com/u/0/117829379451708140985> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347227 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
