PRB: Server.Transfer Allows Unauthorized Pages to Be Displayed (320976)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework 1.1)
  • Microsoft ASP.NET (included with the .NET Framework) 1.0
This article was previously published under Q320976

SYMPTOMS

When you use the Server.Transfer method to redirect to a page that the user identity is not authorized to view, the page is processed. This behavior also occurs with the Server.Execute method.

CAUSE

Server.Transfer and Server.Execute use a different handler to process the page instead of making another request from the server, which would force reauthorization.

RESOLUTION

To work around this behavior, force reauthorization, or write your own access control mechanism.

To force reauthorization, use one of the following methods:
  • Use the Response.Redirect method.
  • Use some other means to check the access before you call Server.Transfer or Server.Execute. For example, you can conditionally make sure that the user has access to a page by using the User.IsInRole("Role") method before you call Server.Execute or Server.Transfer.

STATUS

This behavior is by design.

MORE INFORMATION

Although Server.Transfer and Server.Execute behave as expected, Microsoft is considering an alternate means to request reauthorization in a future release of the product.

REFERENCES

For more information, visit the following Microsoft Developer Network (MSDN) Web sites:

Role-Based Security Checks
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconrole-basedsecuritychecks.asp

WindowsPrincipal.IsInRole Method
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsPrincipalClassIsInRoleTopic.asp

Authorization
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconAuthorization.asp

Modification Type:MinorLast Reviewed:7/8/2003
Keywords:kbprb kbSecurity KB320976 kbAudDeveloper
©2003 Microsoft Corporation. All rights reserved.