Geek Answers Handbook

Hiding controls as a form of web security, suggestions for improvement?

I am working on a website (developed in ASP.NET with C #) that has been submitted to me. When I work on a site, I notice that most sites on it have this type of code:

EmailLabel.Visible = false; WhateverButton.Visible = false; AnotherControl.Visible = false; ...

All this is usually done in the site code (in the Page_Load method). In fact, this was put in place to prevent a user who is not a registered user from gaining access to the components (the rule for a site is that a user without registration should not see any part of the site before entering the system). The way described above works ... but it seems quite expensive to always check if the user is registered and then put him in the correct state for all these components.

Is there any other way to approach this problem? Just thinking about this / research, I thought that there might be a way to redirect to the home page if the user does not log in. Even further, I could expand the base page, which will do this for any page that extends the base page. However, my knowledge in this area is limited, so my proposal may not work.

What can SO offer? Anything better? Is it good enough?

+7
security c #
source share
3 answers

We do this a lot at my work.

The way we achieve this is to create the BasePage class, which inherits from System.Web.UI.Page. Then you override OnInit, call base.OnInit and add the code to verify the registered user. If the user is not logged in, redirect them to the login page (which will not inherit from BasePage.)

Then on each page that needs to be protected, just change the page to inherit from BasePage.

And contrary to what womp says above, if you write Response.End (); after redirecting, itโ€™s much faster that even continuing to process the rest of the page!

Hope this helps.

+2
source share

There is a loginview component, which is a panel with an anonymous view, authenticated view, and views for specific roles. It makes it easier.

http://www.creativeui.com/2007/10/05/net-membership-part-ii-loginview/

+1
source share

It would be much, many orders of magnitude more expensive to issue a redirect than setting Visible flags on multiple controls.

If your page allows both anonymous access and login, redirecting will also require allowing anonymous access in another way, possibly by creating a second version of the page.

The issue of spending is really just on the sidelines, although it probably doesn't matter at all. To answer your basic question, without knowing more about the architecture of your application, I would find both of these things undesirable. The advantages of simple Visible = false element management are that nothing is passed to the output stream for invisible controls, but they can still interact with server requests.

Without knowing more about the requirements for your page, it is difficult to suggest alternatives. As already mentioned, LoginView can satisfy your needs if invisible controls are not involved at all with anonymous users.

+1
source share

More articles:


All Articles