Security with Server.Transfer
Difference between Response.Redirect and Server.Transfer is a favorite (and common) interview question. One of the benefits of Server.Transfer is that round trip to the client browser is avoided. Recently, we were so much carried away by this advantage that we hit a security issue (and this is usually not mentioned in the interview questions listing sites :-)). We are using a custom http module for that takes care of Windows Live authentication + custom defined authorization and sends it to the asp if the user is defined as valid user for the page accessed. indexpage.aspx -> accessible to all specialpage.aspx - > accessible to only admins indexpage.aspx had a logic and redirect to specialpage.aspx on a special condition. Something went wrong in this checking and users who had no permission to specialPage.aspx were sent to it via Server.Transfer. And because we were using Server.Transfer, it directly got transferred without the httpmodule comong in between. Had we used Response.R...