可以独立于 ASP.net 导致 Page.IsPostBack 为真吗?-C#/.NET问题

Can one cause Page.IsPostBack to be true independently of ASP.net?(可以独立于 ASP.net 导致 Page.IsPostBack 为真吗?)

本文介绍了可以独立于 ASP.net 导致 Page.IsPostBack 为真吗?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

如果要检查用户的角色以确定他们是否可以访问某个页面，那么将此检查仅放在 if (!Page.IsPostBack) { ... } 中是否安全?客户端 是否有可能独立于 ASP.net 导致 Page.IsPostBack == true;也就是说，客户端 POST 到页面并设置正确的表单字段?如果这是可能的，那么我认为最好的做法是在每个页面加载时检查安全性，而不仅仅是在 Page.IsPostBack == false 时.

If one is checking a user's roles to determine whether they may access a page, is it safe to put this check only inside an if (!Page.IsPostBack) { ... }? Could it be possible for the client to cause Page.IsPostBack == true independently of ASP.net; that is, the client POST's to the page and sets the right form fields? If that were possible, then I suppose best practice would be to check security on every page load, not just when Page.IsPostBack == false.

推荐答案

抱歉所有已经回答的人，但我不同意只检查 Page.IsPostBack == false<内的安全授权/code> 块必然是不安全的(只要事件验证和加密视图状态被打开).我已经解释了为什么我认为这个这里，但简短的答案是:我认为您不能在没有首先在非回发上下文中加载页面以获取 viewstate 和 eventvalidation 表单字段的情况下欺骗页面回发.返回的视图状态字段将导致您隐藏在 Page.IsPostBack == false 块中的内容在使用该视图状态的任何回发中保持隐藏状态，并且由于视图状态已加密，因此无法被篡改.


Sorry to all those who have answered already, but I don't agree that only checking for security authorization inside a Page.IsPostBack == false block is necessarily insecure (as long as event validation and encrypted viewstate are turned on).  I have explained why I think this here, but the short answer is: I don't think you can spoof a postback to a page without first loading it in a non-postback context to get the viewstate and eventvalidation form fields.  The viewstate field returned will cause the content you've hidden inside your Page.IsPostBack == false block to stay hidden in any postback which uses that viewstate, and because the viewstate is encrypted it can't be tampered with.

                        这篇关于可以独立于 ASP.net 导致 Page.IsPostBack 为真吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持编程学习网！

问题描述

推荐答案

基础教程推荐