Re: Is Server.Transfer secure?
From: Tim Almond (anon_at_anon.co.uk)
Date: 08/26/03
- Previous message: Lior Amar: "ASP.NET + SQL Server Windows authentication"
- In reply to: Chris Jackson: "Re: Is Server.Transfer secure?"
- Next in thread: Chris Jackson: "Re: Is Server.Transfer secure?"
- Reply: Chris Jackson: "Re: Is Server.Transfer secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Aug 2003 17:00:51 +0100
"Chris Jackson" <chrisj@mvps.org> wrote in message
news:%23SGMy89aDHA.384@TK2MSFTNGP12.phx.gbl...
> If you use Server.Transfer, you can always use
> System.Web.HttpContext.Items.Add to pass something in to your request to
the
> new page.
>
> As for retrieving properties from the source page, any time you rely on
> information that comes from the client, you can't trust it. So, if you're
> getting it from session state, then you are fine. But, say for example,
that
> you have a form that gives you options based on your credentials. As an
> employee, I may have the option of requesting a vacation day, but as a
> manager I can request, approve, or deny a vacation day. If I am a
malicious
> user, I can just create my own HTML form to post back an approval, even
> though I wouldn't see that option on the form that you gave me.
>
> Viewstate is a way for the server to pass information back and forth from
> itself - nothing is added to it on the client side.
>
> --
So to use Server.Transfer, I'd still have to validate the Case Code against
the user ID on the page in case the input had been hacked? I thought the
idea of the Server.Transfer was that it was like an internal 'pass'.
- Previous message: Lior Amar: "ASP.NET + SQL Server Windows authentication"
- In reply to: Chris Jackson: "Re: Is Server.Transfer secure?"
- Next in thread: Chris Jackson: "Re: Is Server.Transfer secure?"
- Reply: Chris Jackson: "Re: Is Server.Transfer secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
