Microsoft KB Archive/320976

= PRB: Server.Transfer Allows Unauthorized Pages to Be Displayed =

Article ID: 320976

Article Last Modified on 7/8/2003

-

APPLIES TO


 * Microsoft ASP.NET 1.1
 * Microsoft ASP.NET 1.0

-



This article was previously published under Q320976



SYMPTOMS
When you use the Server.Transfer method to redirect to a page that the user identity is not authorized to view, the page is processed. This behavior also occurs with the Server.Execute method.



CAUSE
Server.Transfer and Server.Execute use a different handler to process the page instead of making another request from the server, which would force reauthorization.



RESOLUTION
To work around this behavior, force reauthorization, or write your own access control mechanism.

To force reauthorization, use one of the following methods:
 * Use the Response.Redirect method.
 * Use some other means to check the access before you call Server.Transfer or Server.Execute. For example, you can conditionally make sure that the user has access to a page by using the User.IsInRole(&quot; &quot;) method before you call Server.Execute or Server.Transfer.



STATUS
This behavior is by design.



MORE INFORMATION
Although Server.Transfer and Server.Execute behave as expected, Microsoft is considering an alternate means to request reauthorization in a future release of the product.

