Reposted from Performance Gain – Security Risk
Good intention for better performance may lead to flawed design and bring in more security risks.
Consider the following ASPX page:
Here is why it cannot be accessed:
When trying to navigate there you get:
Great, love URL authorization!!
Now let’s examine another ASPX page:
When navigating to this page you surprisingly get this:
The reason for that is when using Server.Transfer the request to the second page does not go through the whole ASP.NET pipeline which includes URL Authorization module
Security part is here http://msdn2.microsoft.com/en-us/library/ms998375.aspx
Performance part is here http://msdn2.microsoft.com/en-us/library/ms998549.aspx
Performance and Security has never been good friends – fortunately we have J.D. who is bridging the two letting us enjoy both.