View Single Post
 
Old February 11th, 2008, 01:12 PM
planoie's Avatar
planoie planoie is offline
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

A more important factor here is that you are simply redirecting a user to a page based on some session data.

If you do not put some security mechanism on the secure page, I could simply navigate to it directly (of course I need to know what that page is). I don't need to know anything about the session variables or how to hack them. I could simply put in the URL of the supposedly "secure" page and navigate directly to it. This is Imar's point. Use the security mechanism built into ASP.NET and you'll eliminate a lot of the security vulnerabilities.

-Peter