Can one cause Page.IsPostBack to be true independently of ASP.net?

Question

If one is checking a user's roles to determine whether they may access a page, is it safe to put this check only inside an if (!Page.IsPostBack) { ... }? Could it be possible for the client to cause Page.IsPostBack == true independently of ASP.net; that is, the client POST's to the page and sets the right form fields? If that were possible, then I suppose best practice would be to check security on every page load, not just when Page.IsPostBack == false.

Answer 1

Easily. And it doesn't even have to be via an HTTP post.

IsPostBack checks for the ViewState and Event* hidden fields. If you supply those fields on the query string then IsPostBack will actually return true, so, for example, a client page which tries to load an image using that jerry-rigged query string will cause the code behind to believe it's a post back.

Answer 2

As a concrete example, suppose your page has a button that only administrators are supposed to be able to see and click:

<asp:Button runat="server" ID="resetButton" Text="Reset" OnClick="resetButton_Click" />

Inside an if (!IsPostBack) block in the code-behind, you hide the button if the user isn't an admin:

protected override void OnInit(EventArgs e)
{
    if (!IsPostBack)
        resetButton.Visible = IsAdmin();
}

private bool IsAdmin()
{
    ...
}

Question: Can a non-administrator cause the code in resetButton_Click to execute?

Answer: YES, even if view state and event validation are enabled.

Someone can simply browse to your page with ?__VIEWSTATE= or ?__EVENTTARGET= appended to the URL (causing IsPostBack to return true) and then click the button.

Conclusion: Turning off sensitive functionality in if (!IsPostBack) is NOT safe.

To fix the problem, remove the IsPostBack check or add Visible="False" to the button markup (secure by default).