Skip to main content


In your CSP pages, you can encrypt values sent to the browser, including URL parameters sent to other CSP pages, by using the unique session key of the %session object. This mechanism is secure because the session key is never sent to an HTTP client.

Encrypting and Decrypting Values

To encrypt a value, use the Encrypt() method of your page class. This method is inherited from %CSP.PageOpens in a new tab superclass. Within the same session, you can decrypt this value by using the Decrypt() method. Note that in both cases, the method automatically uses the session key.

Encrypting URL Parameters

You can encrypt URL parameters when you include an HTML <A> anchor link from one CSP page to another CSP page in the same session. The URL seen by the browser includes the CSPToken URL parameter instead of the original parameter or parameters (example is truncated):


There are two parts to the system:

  • On the page where you are creating the URL for the link, use the Link() method of %CSP.PageOpens in a new tab to create the URL.

    It is best practice to use Link() for all URLs, whether or not they are to be encrypted.

     Set origurl="GCSP.EncryptPage2.cls"
     Set urlparms("SAMPLEPARM")="sample value"
     Set tURL = ##class(%CSP.Page).Link(origurl,.urlparms)
     Set html="<p>Link to page 2: <a href="""_tURL_""">Link</a>"_"</p>" 
  • On the target page, specify the ENCODED class parameter as either 1 or 2. This class parameter can have any of the following values:

    • ENCODED=0 — Query parameters are not encrypted. The browser receives them as is.

    • ENCODED=1 — All query parameters are encrypted and passed within the CSPToken URL parameter (as shown in the example).

    • ENCODED=2 — Same as 1 except for any unencrypted parameters, which are URL parameters appended manually to the URL (in contrast to parameters added via the Link() method). Unencrypted parameters are removed from the %request object.

    For example:

    Parameter ENCODED = 2;

Even when a URL parameter is encrypted as described here, you can retrieve the parameter value in the usual way. For example:

 set urlparm=$GET(%request.Data("SAMPLEPARM",1)) 

InterSystems IRIS® data platform always decrypts the value if necessary, automatically.

FeedbackOpens in a new tab