Navigation and security location.href and server.transfer

[Guest]

Hi,

Is there any difference in handling the site navigation by using
location.href or by using server.transfer?

window.location.href = '<%=Response.ApplyAppPathModifier("~/MyAccount.aspx")
%>';

or

Server.Transfer(Response.ApplyAppPathModifier("~/MyAccount.aspx"))

What's the difference? Is there a difference in security when using Forms
authentication or Windows Authentication is security affected by using
location.href or server.transfer?

Thanks in advance,

Richard

 

[bruce barker]

using location causes are parse of the page then a request for the new
page. you should use redirect instead as this is just a header.


server transfer does not cause a second request, its just a way to pass
control from one page class instance to another. its main disadvantages
are the url in the browser does not match, and a refresh causes a
postback (with waring).

forms authentication uses a cookie or munged url to pass an
authentication token. if you don't use ssl, then it can hijacked with a
sniffer. with ssl it can be hijacked if the computer has shared access.

windows authentication is more secure. every page is authenticated with
challenge/response dialog. unless the password is short, its very hard
to break. the main disadvantage is some proxies don't support it and its
more chatty.

kerberos has the advantages of windows authentication, wider support and
allows credentials forwarding.


-- bruce (sqlwork.com)

 

[Guest]

Thanks, great explanation by Bruce. I forgot in the original post to ask
about Response.Redirect() is it the same as Server.Transfer() ? Which is the
best way?

Thanks in advance,

Richard