Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

KBAlertz.com: (320976) - When you use the Server.Transfer method to redirect to a page that the user identity is not authorized to view, the page is processed. This behavior also occurs with the Server.Execute method.

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]

Search KbAlertz

Advanced Search

Webmasters
Put kbAlertz on your website.
[ Click Here for more! ]





ASP.NET 2.0 Web Hosting with SQL 2005: Click Here!
Discount ASP.NET Hosting

Bug Tracking Software
For bug tracking software or defect tracking software or issue tracking software, visit Axosoft.

Community Site


We Send hundreds of thousands of emails using ASP.NET Email


Expert Web Design & Graphic Design
Design44.com




Mentioned In







Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks



PRB: Server.Transfer Allows Unauthorized Pages to Be Displayed

View products that this article applies to.
Article ID:320976
Last Review:July 8, 2003
Revision:2.3
This article was previously published under Q320976

SYMPTOMS

When you use the Server.Transfer method to redirect to a page that the user identity is not authorized to view, the page is processed. This behavior also occurs with the Server.Execute method.

Back to the top

CAUSE

Server.Transfer and Server.Execute use a different handler to process the page instead of making another request from the server, which would force reauthorization.

Back to the top

RESOLUTION

To work around this behavior, force reauthorization, or write your own access control mechanism.

To force reauthorization, use one of the following methods:
Use the Response.Redirect method.
Use some other means to check the access before you call Server.Transfer or Server.Execute. For example, you can conditionally make sure that the user has access to a page by using the User.IsInRole("Role") method before you call Server.Execute or Server.Transfer.

Back to the top

STATUS

This behavior is by design.

Back to the top

MORE INFORMATION

Although Server.Transfer and Server.Execute behave as expected, Microsoft is considering an alternate means to request reauthorization in a future release of the product.

Back to the top

REFERENCES

For more information, visit the following Microsoft Developer Network (MSDN) Web sites:
Role-Based Security Checks
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconrole-basedsecuritychecks.asp (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconrole-basedsecuritychecks.asp)

WindowsPrincipal.IsInRole Method
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsPrincipalClassIsInRoleTopic.asp (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsPrincipalClassIsInRoleTopic.asp)

Authorization
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconAuthorization.asp (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconAuthorization.asp)

Back to the top

APPLIES TO
Microsoft ASP.NET 1.1
Microsoft ASP.NET 1.0

Back to the top

Keywords: 
kbsecurity kbprb KB320976

Back to the top

        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Be the first to leave feedback, to help others about this knowledge base article.

(Optional) Name
(Optional) Public URL Or Email
Comments
No HTML -- Text Only Please

 



Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting