Home/ Questions/Q 8323741
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T23:48:58+00:00

I have an asp.net webforms project. In there, an Admin has the ability to

  • 0

I have an asp.net webforms project. In there, an “Admin” has the ability to get to a screen to submit a form that will create a new user (CreateUser.aspx).

If that user’s permission is changed later to be less than Admin they can’t access that screen anymore to create new users. However, if they saved the exact web request to create a new user from when they were an admin, they can replay this and create new users still.

It is not possible for a random person to submit this form though unless they guess an active session id (that is the only thing checked on each form submit).

CreateUser is one of many examples of admin functions. Is the proper solution to this to validate that the user is an admin on each of these different form submits (not sure of a clean way to do this in asp.net)? Or is it acceptable to just expire the session on logout and never reuse session id’s? Does asp.net have any other security features built-in to protect against this type of attack?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    One way, is to have a base class(Which inturn inherits the class – “page”) and all your aspx pages should inherit this base class. so that whenever a aspx page loads, your base pageLoad method is called. In this method you can check the authentication and authorization.

        public class BasePage : System.Web.UI.Page
    {

        public BasePage()
        {
            this.Load += new EventHandler(BasePage_Load);
        }

     void BasePage_Load(object sender, EventArgs e)
        {
     //Check authentication/authorized
    //if authenticated/authorized leave it.. If not redirect to error page
        }
    }

    public partial class Forms_CreateUser : BasePage
    {
        protected void Page_Load(object sender, EventArgs e)
        {
        }
    }

    public partial class Forms_CreateRole : BasePage
    {
        protected void Page_Load(object sender, EventArgs e)
        {
        }
    }
    • 0