可以独立于 ASP.net 导致 Page.IsPostBack 为真吗? [英] Can one cause Page.IsPostBack to be true independently of ASP.net?

问题描述

如果要检查用户的角色以确定他们是否可以访问某个页面，那么将此检查仅放在 if (!Page.IsPostBack) { ... } 中是否安全?客户端 是否有可能独立于 ASP.net 导致 Page.IsPostBack == true;也就是说，客户端 POST 到页面并设置正确的表单字段?如果这是可能的，那么我认为最好的做法是在每个页面加载时检查安全性，而不仅仅是在 Page.IsPostBack == false 时.

If one is checking a user's roles to determine whether they may access a page, is it safe to put this check only inside an if (!Page.IsPostBack) { ... }? Could it be possible for the client to cause Page.IsPostBack == true independently of ASP.net; that is, the client POST's to the page and sets the right form fields? If that were possible, then I suppose best practice would be to check security on every page load, not just when Page.IsPostBack == false.

推荐答案

抱歉所有已经回答的人，但我不同意只检查 Page.IsPostBack == false<内的安全授权/code> 块必然是不安全的(只要 事件验证和加密视图状态被打开).我已经解释了为什么我认为这个这里，但简短的答案是:我认为您不能在没有首先在非回发上下文中加载页面以获取 viewstate 和 eventvalidation 表单字段的情况下欺骗页面回发.返回的视图状态字段将导致您隐藏在 Page.IsPostBack == false 块中的内容在使用该视图状态的任何回发中保持隐藏状态，并且由于视图状态已加密，因此无法被篡改.

Sorry to all those who have answered already, but I don't agree that only checking for security authorization inside a Page.IsPostBack == false block is necessarily insecure (as long as event validation and encrypted viewstate are turned on). I have explained why I think this here, but the short answer is: I don't think you can spoof a postback to a page without first loading it in a non-postback context to get the viewstate and eventvalidation form fields. The viewstate field returned will cause the content you've hidden inside your Page.IsPostBack == false block to stay hidden in any postback which uses that viewstate, and because the viewstate is encrypted it can't be tampered with.

这篇关于可以独立于 ASP.net 导致 Page.IsPostBack 为真吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！