Re: Is Server.Transfer secure?

From: Chris Jackson (chrisj_at_mvps.org)
Date: 08/26/03 

Date: Tue, 26 Aug 2003 13:20:37 -0400

It is like an internal pass - the client isn't aware of it. If the client
gets between the two pages, then you have to validate your data. If it's
already validated, then you can continue to trust it. 

-- 
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
-- 
"Tim Almond" <anon@anon.co.uk> wrote in message
news:OD1dDu%23aDHA.1204@TK2MSFTNGP12.phx.gbl...
>
> "Chris Jackson" <chrisj@mvps.org> wrote in message
> news:%23SGMy89aDHA.384@TK2MSFTNGP12.phx.gbl...
> > If you use Server.Transfer, you can always use
> > System.Web.HttpContext.Items.Add to pass something in to your request to
> the
> > new page.
> >
> > As for retrieving properties from the source page, any time you rely on
> > information that comes from the client, you can't trust it. So, if
you're
> > getting it from session state, then you are fine. But, say for example,
> that
> > you have a form that gives you options based on your credentials. As an
> > employee, I may have the option of requesting a vacation day, but as a
> > manager I can request, approve, or deny a vacation day. If I am a
> malicious
> > user, I can just create my own HTML form to post back an approval, even
> > though I wouldn't see that option on the form that you gave me.
> >
> > Viewstate is a way for the server to pass information back and forth
from
> > itself - nothing is added to it on the client side.
> >
> > -- 
> So to use Server.Transfer, I'd still have to validate the Case Code
against
> the user ID on the page in case the input had been hacked? I thought the
> idea of the Server.Transfer was that it was like an internal 'pass'.
>
>

Relevant Pages

  • Re: W32Time Event 38
    ... To validate it has nothing to do with the network you could see if you can ... get a client machine to sync externally. ... MVP - Directory Services ... samples" when it queries the external time server. ...
    (microsoft.public.windows.server.active_directory)
  • Repost: Our web service design for a process flow needs to be mor
    ... I am trying to come up with a good design for a web service that has some ... Client Get's User Input for field 1... ... this is a real time mission critical application where I need to validate ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: Repost: Our web service design for a process flow needs to be mor
    ... I am trying to come up with a good design for a web service that has some ... Client Get's User Input for field 1... ... this is a real time mission critical application where I need to validate ...
    (microsoft.public.dotnet.framework.webservices)
  • Validation Controls in FormView
    ... dropDownList and a RegEx validator to validate a text box. ... The client script is enable but it does nothing and PostBack happens ... It might be of the client script. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: date validate
    ... I want client side validation samples. ... > If you want ASP examples, ... Validate it in what way? ... > "Andrew" wrote in message ...
    (microsoft.public.inetserver.asp.general)