Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

PRB: Server.Transfer Allows Unauthorized Pages to Be Displayed


View products that this article applies to.

Symptoms

When you use the Server.Transfer method to redirect to a page that the user identity is not authorized to view, the page is processed. This behavior also occurs with the Server.Execute method.

↑ Back to the top


Cause

Server.Transfer and Server.Execute use a different handler to process the page instead of making another request from the server, which would force reauthorization.

↑ Back to the top


Resolution

To work around this behavior, force reauthorization, or write your own access control mechanism.

To force reauthorization, use one of the following methods:
  • Use the Response.Redirect method.
  • Use some other means to check the access before you call Server.Transfer or Server.Execute. For example, you can conditionally make sure that the user has access to a page by using the User.IsInRole("Role") method before you call Server.Execute or Server.Transfer.

↑ Back to the top


Status

This behavior is by design.

↑ Back to the top


More information

Although Server.Transfer and Server.Execute behave as expected, Microsoft is considering an alternate means to request reauthorization in a future release of the product.

↑ Back to the top


Keywords: KB320976, kbsecurity, kbprb

↑ Back to the top

Article Info
Article ID : 320976
Revision : 7
Created on : 7/8/2003
Published on : 7/8/2003
Exists online : False
Views : 463