Security with Server.Transfer

Difference between Response.Redirect and Server.Transfer is a favorite (and common) interview question. One of the benefits of Server.Transfer is that round trip to the client browser is avoided. Recently, we were so much carried away by this advantage that we hit a security issue (and this is usually not mentioned in the interview questions listing sites :-)).

We are using a custom http module for that takes care of Windows Live authentication + custom defined authorization and sends it to the asp if the user is defined as valid user for the page accessed.

indexpage.aspx -> accessible to all
specialpage.aspx - > accessible to only admins

indexpage.aspx had a logic and redirect to specialpage.aspx on a special condition. Something went wrong in this checking and users who had no permission to specialPage.aspx were sent to it via Server.Transfer. And because we were using Server.Transfer, it directly got transferred without the httpmodule comong in between. Had we used Response.Redirect, although the logic was skewed, user would not be able to see special page - since it again passes through the http module.

So, I'll beware of this next time I think about using Server.Transfer.

Comments

Post a Comment

Popular posts from this blog

Dirty workarouds: dirty page checking + AJAX

Dirty page checking is scenario when you have a form, user does some modifications and before hitting the save button, tries to leave the page. Enterprise web applications have a requirement to intimate the user that "there are unsaved details" and "do you really want to move away from this page". The idea of solution behind this is 1. use of window.beforeunload and 2. use of onchange to register the window.beforeunload. As setting window.beforeunload manually for each control can be timeconsuming, we need a generic solution which will work with minimal code changes. If you search for this on internet, you will find the following generic code: <script type="text/javascript"> function setDirty() { window.onbeforeunload = showNavigateAwayMessage; } function clearDirty() { window.onbeforeunload = ""; } function showNavigateAwayMessage() { return "There is some unsaved Data in this form." } function setControlChangeEvent() { if (typeo...
Read more

ASP Upload and localization

The Asp.Net (or in general html) file upload control displays the text "Browse". There is no attribute which allows controlling the text displayed. This goes against the localization principals which says every text/label may appear in local language. I did the following workaround... (Is there any simpler workaround... Your suggestions are welcome) ===Explanation=== Basically I hide the actual upload control and instead use proxy controls which look similar to the ones rendered by the browser and are localized. I have used javascripts to hook up required events to make it work like an exact original browser one. ====ASPX file==== <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="FileUpload._Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <script language=javascript> function Bubb...
Read more