Re: Is Server.Transfer secure?

From: Chris Jackson (chrisj_at_mvps.org)
Date: 08/26/03 

Date: Tue, 26 Aug 2003 10:34:43 -0400

If you use Server.Transfer, you can always use
System.Web.HttpContext.Items.Add to pass something in to your request to the
new page.

As for retrieving properties from the source page, any time you rely on
information that comes from the client, you can't trust it. So, if you're
getting it from session state, then you are fine. But, say for example, that
you have a form that gives you options based on your credentials. As an
employee, I may have the option of requesting a vacation day, but as a
manager I can request, approve, or deny a vacation day. If I am a malicious
user, I can just create my own HTML form to post back an approval, even
though I wouldn't see that option on the form that you gave me.

Viewstate is a way for the server to pass information back and forth from
itself - nothing is added to it on the client side. 

-- 
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
-- 
"Tim Almond" <anon@anon.co.uk> wrote in message
news:ezLXtx9aDHA.1740@TK2MSFTNGP10.phx.gbl...
> I'm working on a site, and have to pass information (a case code) between
2
> pages.
>
> I initially thought of using the URL and passing the code as a parameter
and
> revalidating. However, this seems a bit inefficient.
>
> If I use server.transfer and retrieve properties from the source page, can
> this be hacked so that someone could force the page, or is it protected
from
> this? Does it use ViewState or something?
>
> I'd like to not have to re-validate everything on the page, so any
> information would be very helpful.
>
> Tim Almond
>
>

Relevant Pages

  • Re: Windows Server Referral Problem
    ... EN> Markus I have a request out to Microsoft to get more information ... When Windows ... and returns a referral to the specified realm if there's a match. ... EN> I have a problem with server referrals in my Windows environment. ...
    (comp.protocols.kerberos)
  • IPSEC with certificates on Windows XP (Certificate donīt have a private key )
    ... I have a question for the Microsoft CSP and IPSEC. ... I have installed a small network of 4 computers. ... computers and two windows 2000 computers. ... The program certreq.exe generate a certificate request. ...
    (microsoft.public.platformsdk.security)
  • Re: call is blocked in recvfrom() and no further proceedings in Wi
    ... For transmitting UDP packets through emulator, ... >> In windows CE, I'm able to send a request but I'm unable to receive it. ... >>> My program has to send request to service through port 5070(in this port ...
    (microsoft.public.windowsce.embedded)
  • .net user permissions in IIS
    ... We have a windows 2003 domain with 4 web servers in. ... (Exception from HRESULT: 0x80070005 ... the current web request. ...
    (microsoft.public.dotnet.framework.aspnet)
  • [NT] Invalid Universal Plug and Play Request Can Disrupt System Operation
    ... Invalid Universal Plug and Play Request Can Disrupt System Operation ... Windows ME and XP include native UPnP ... manufacturers do, however, install it on the systems they sell) ...
    (Securiteam)