Re: Is Server.Transfer secure?

From: Chris Jackson (chrisj_at_mvps.org)
Date: 08/28/03

  • Next message: Steve: "Custom Authentication Debug Problem" 
    Date: Thu, 28 Aug 2003 16:51:18 -0400

    ANY time the user gives you input, you HAVE to validate it if security is
    critical. In this case, they are providing the case number, so you have to
    validate it if they CAN NOT view another one. Otherwise, the response that
    they send could be modified very easily, bypassing your initial check. If
    you don't care if they view another one, and it's just a convenience to
    filter them, don't worry about it. If it matters, then revalidate. 

    -- 
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
-- 
"tim almond" <vv@iijjhh> wrote in message
news:ukMr5fAbDHA.2620@TK2MSFTNGP09.phx.gbl...
>
>
> Chris Jackson wrote:
> > It is like an internal pass - the client isn't aware of it. If the
client
> > gets between the two pages, then you have to validate your data. If it's
> > already validated, then you can continue to trust it.
> >
> Hmmmm...
>
> now I'm really puzzled ;)
>
> Can I explain my situation...
> The situation I have is a page with a datagrid which has a list of cases
> based on the user ID of the user who is logged in. When the user selects
> one of the cases, I need to pass the case # to the 'update case' page.
>
> But what I don't want is someone to be able to form an HTTP request and
> change the 'case number' to someone else's number.
>
> First thought was to do what I used to do in ASP, and just validate
> anything passed each time to ensure that it was valid for the user who
> was logged in.
>
> I suppose I could use a session variable to pass it, but was looking for
> something a little cleaner.
>
> Does this make sense, and am I stuck with re-validating?
>
  • Next message: Steve: "Custom Authentication Debug Problem"

    Relevant Pages

    • Re: W32Time Event 38
      ... To validate it has nothing to do with the network you could see if you can ... get a client machine to sync externally. ... MVP - Directory Services ... samples" when it queries the external time server. ...
      (microsoft.public.windows.server.active_directory)
    • Repost: Our web service design for a process flow needs to be mor
      ... I am trying to come up with a good design for a web service that has some ... Client Get's User Input for field 1... ... this is a real time mission critical application where I need to validate ...
      (microsoft.public.dotnet.framework.webservices)
    • RE: Repost: Our web service design for a process flow needs to be mor
      ... I am trying to come up with a good design for a web service that has some ... Client Get's User Input for field 1... ... this is a real time mission critical application where I need to validate ...
      (microsoft.public.dotnet.framework.webservices)
    • Re: Is Server.Transfer secure?
      ... It is like an internal pass - the client isn't aware of it. ... >> manager I can request, approve, or deny a vacation day. ... I'd still have to validate the Case Code ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Validation Controls in FormView
      ... dropDownList and a RegEx validator to validate a text box. ... The client script is enable but it does nothing and PostBack happens ... It might be of the client script. ...
      (microsoft.public.dotnet.framework.aspnet)