一次产生Page.IsPostBack是真实独立的ASP.net？ [英] Can one cause Page.IsPostBack to be true independently of ASP.net?

问题描述

如果一个是检查用户的角色，以确定它们是否可以访问一个页面，是安全的把这个检查只内的如果（！Page.IsPostBack）{...} ？它可以为在客户端可以以引起 Page.IsPostBack ==真独立的ASP.net;也就是说，客户端发表文章的页面，并设置合适的表单字段？如果这是可能的，那么我想最好的做法是检查每个页面负载的安全性，不只是当 Page.IsPostBack ==虚假。

If one is checking a user's roles to determine whether they may access a page, is it safe to put this check only inside an if (!Page.IsPostBack) { ... }? Could it be possible for the client to cause Page.IsPostBack == true independently of ASP.net; that is, the client POST's to the page and sets the right form fields? If that were possible, then I suppose best practice would be to check security on every page load, not just when Page.IsPostBack == false.

推荐答案

对不起所有那些谁已经回答了，但我不同​​意，只检查在 Page.IsPostBack =安全认证= FALSE 块必然是不安全的（只要事件验证和加密的视图状态已打开）。我已经解释了为什么我认为这<一个href=\"http://stackoverflow.com/questions/6328618/a-secure-implementation-of-page-ispostback/6342911#6342911\">here,但简短的回答是：我不认为你可以欺骗在非回发上下文回发到一个页面，而不首先装载它来获取视图状态和eventvalidation表单域。返回会使您隐藏了 Page.IsPostBack ==虚假块里面的内容ViewState字段留藏在它使用ViewState的任何回发，而且由于视图状态加密不能被篡改。

Sorry to all those who have answered already, but I don't agree that only checking for security authorization inside a Page.IsPostBack == false block is necessarily insecure (as long as event validation and encrypted viewstate are turned on). I have explained why I think this here, but the short answer is: I don't think you can spoof a postback to a page without first loading it in a non-postback context to get the viewstate and eventvalidation form fields. The viewstate field returned will cause the content you've hidden inside your Page.IsPostBack == false block to stay hidden in any postback which uses that viewstate, and because the viewstate is encrypted it can't be tampered with.

这篇关于一次产生Page.IsPostBack是真实独立的ASP.net？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！