If one is checking a user's roles to determine whether they may access a page, is it safe to put this check only inside an if (!Page.IsPostBack) { ... }
? Could it be possible for the client to cause Page.IsPostBack == true
independently of ASP.net; that is, the client POST's to the page and sets the right form fields? If that were possible, then I suppose best practice would be to check security on every page load, not just when Page.IsPostBack == false
.
PostBack is done if certain credentials of the page are to be checked against some sources (such as verification of username and password using database). This is something that a client machine is not able to accomplish and thus these details have to be 'posted back' to the server.
AutoPostBack = true permits control to post back to the server. It is associated with an Event.
IsPostBack is used to check if the page is responding to a post back event, like clicking a button. So, lets say you have some textboxes for users to change some data and then click a button to submit the data.
Page. IsPostBack property is use to check wheather page is post back.It return bool value.
Easily. And it doesn't even have to be via an HTTP post.
IsPostBack checks for the ViewState and Event* hidden fields. If you supply those fields on the query string then IsPostBack will actually return true, so, for example, a client page which tries to load an image using that jerry-rigged query string will cause the code behind to believe it's a post back.
As a concrete example, suppose your page has a button that only administrators are supposed to be able to see and click:
<asp:Button runat="server" ID="resetButton" Text="Reset" OnClick="resetButton_Click" />
Inside an if (!IsPostBack)
block in the code-behind, you hide the button if the user isn't an admin:
protected override void OnInit(EventArgs e)
{
if (!IsPostBack)
resetButton.Visible = IsAdmin();
}
private bool IsAdmin()
{
...
}
Question: Can a non-administrator cause the code in resetButton_Click
to execute?
Answer: YES, even if view state and event validation are enabled.
Someone can simply browse to your page with ?__VIEWSTATE=
or ?__EVENTTARGET=
appended to the URL (causing IsPostBack
to return true
) and then click the button.
Conclusion: Turning off sensitive functionality in if (!IsPostBack)
is NOT safe.
To fix the problem, remove the IsPostBack
check or add Visible="False"
to the button markup (secure by default).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With