If one is checking a user’s roles to determine whether they may access a page, is it safe to put this check only inside an if (!Page.IsPostBack) { ... }? Could it be possible for the client to cause Page.IsPostBack == true independently of ASP.net; that is, the client POST’s to the page and sets the right form fields? If that were possible, then I suppose best practice would be to check security on every page load, not just when Page.IsPostBack == false.
If one is checking a user’s roles to determine whether they may access a
Share
Sorry to all those who have answered already, but I don’t agree that only checking for security authorization inside a
Page.IsPostBack == falseblock is necessarily insecure (as long as event validation and encrypted viewstate are turned on). I have explained why I think this here, but the short answer is: I don’t think you can spoof a postback to a page without first loading it in a non-postback context to get the viewstate and eventvalidation form fields. The viewstate field returned will cause the content you’ve hidden inside yourPage.IsPostBack == falseblock to stay hidden in any postback which uses that viewstate, and because the viewstate is encrypted it can’t be tampered with.