Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

(320976) - When you use the Server.Transfer method to redirect to a page that the user identity is not authorized to view, the page is processed. This behavior also occurs with the Server.Execute method.

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks

PRB: Server.Transfer Allows Unauthorized Pages to Be Displayed

Article ID: 320976 - View products that this article applies to.
This article was previously published under Q320976

SYMPTOMS

When you use the Server.Transfer method to redirect to a page that the user identity is not authorized to view, the page is processed. This behavior also occurs with the Server.Execute method.
Back to the top | Give Feedback

CAUSE

Server.Transfer and Server.Execute use a different handler to process the page instead of making another request from the server, which would force reauthorization.
Back to the top | Give Feedback

RESOLUTION

To work around this behavior, force reauthorization, or write your own access control mechanism.

To force reauthorization, use one of the following methods:
  • Use the Response.Redirect method.
  • Use some other means to check the access before you call Server.Transfer or Server.Execute. For example, you can conditionally make sure that the user has access to a page by using the User.IsInRole("Role") method before you call Server.Execute or Server.Transfer.
Back to the top | Give Feedback

STATUS

This behavior is by design.
Back to the top | Give Feedback

MORE INFORMATION

Although Server.Transfer and Server.Execute behave as expected, Microsoft is considering an alternate means to request reauthorization in a future release of the product.
Back to the top | Give Feedback

REFERENCES

For more information, visit the following Microsoft Developer Network (MSDN) Web sites:
Role-Based Security Checks
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconrole-basedsecuritychecks.asp
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconrole-basedsecuritychecks.asp)


WindowsPrincipal.IsInRole Method
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsPrincipalClassIsInRoleTopic.asp
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsPrincipalClassIsInRoleTopic.asp)


Authorization
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconAuthorization.asp
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconAuthorization.asp)
Back to the top | Give Feedback

Properties

Article ID: 320976 - Last Review: July 8, 2003 - Revision: 2.5
APPLIES TO
  • Microsoft ASP.NET 1.1
  • Microsoft ASP.NET 1.0
Keywords: 
kbprb kbsecurity KB320976
Back to the top | Give Feedback
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting