How secure is this?

[Jeff]

Using ASP.NET 1.1

Suppose I put the following code in an aspx code-behind's Page_Load() event
procedure...

if ( ! VerifiedSomething()) {
Server.Transfer("../NoDice.aspx");
Response.End();
}

How secure is this page... in the case that the VerifiedSomething() Boolean
method returns false. How "secure" is this in comparison to ASP.NET's
built-in Forms Authentication?

FWIW: I have thoroughly evaluated ASP.NET's built-in Forms authentication
and I have, for better or worse, a scenario where I can't and don't want to
use ASP.NET's Forms Authentication. But I still want something comparable in
terms of how secure it makes pages... fully understanding that nothing is
100%.

Thanks!

 

[Guest]

Hi Dear Jeff,

have a look at this.

From Custom Authentication to ASP.NET Forms Authentication
By Kevin McFarlane
========================================

http://www.codeproject.com/aspnet/custom_authentication.asp


Bye
Venkat_KL

 

[Jeff]

Thank you for responding Venkat. Do you have any idea what the last
paragraph of my OP means?... everything after "FWIW:"

Just curious.

 

[Kevin Spencer]

It's about the same.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.

 

[Scott Allen]

I'd strongly recommend using a custom HttpModule instead.

A module can catch events earlier in the processing pipeline and react
before execution even begins in the .aspx code. You'd never have to
worry about a protected page missing the call VerifiedSomething(), so
it would be a great deal more secure.