Reputation: 8477
Checking user authentication in Page_Load()... anywhere else?
For each page in my ASP.Net WebForms app I check the user's access like this:
protected void Page_Load(object sender, EventArgs e) {
if (!UserCanAccessPage())
RedirectToAccessNotPermitted();
// < if user has access, set up the page >
}
My question is, is that single check enough or should I check at all other handlers:
protected void seriousDeleteButton_Click(object sender, EventArgs e) {
// ** DO I NEED TO CHECK ACCESS AGAIN HERE? **
// < do stuff that only some users have access to >
}
I know under a normal page lifecycle the Page_Load() should always be called before the event handlers, but I'm wondering if there's a tricky way to hit other ASP.NET endpoints with curl or mucking around with javascript or something.
(I'm only talking about regular WebForms-style postbacks, no explicit AJAX stuff. But of course UpdatePanel uses asynchronous javascript and I'm sure other controls do to.)
Upvotes: 1
Views: 1595
Answers (1)
Reputation: 62260
Yes, it is enough, because Page_Load will be called every time a user requests a new page or posts back the page. You do not need to check again in button click events.
However, it is fine with a website with a couple of pages. In other words, if you have multiple pages, maintenance is will be nightmare.
Normally, you want to use Form Authentication, and restrict acesss to pages by using web.config.
Upvotes: 2
Related Questions
- ASP.NET - Checking if request is authenticated in master page
- check for login in every page
- Check if the user has logged in - Page_PreInit vs Page_Load
- asp.net page authentication security level
- C# WebRequest Check if page requires HTTP Authentication
- ASP.NET should I use a "checkUser" function in pre_init or page_load
- Determine if current page requires authorization?
- Check user authentication at page load
- How can I check for authorization when using forms authentication?
- Forms Authentication in Page_Load Event