CODEWITHSUNDEEP
asp.netsecuritygridviewasp.net-controls
HOY
HOY

Reputation: 1007

Does having an invisible ASP.NET control secure?

For example, Lets say that I have a gridview column which has important controls,

Does it secure if I make them invisible on regular users, and visible for admin users?

If (Requst.Servervariables.Get("LOGON_USER").Split('\\')[1] == "MyAdminUser")
{
     gridview1.columns[0].visible = true;
}

Upvotes: 1

Views: 350

Answers (2)

Pankaj
Pankaj

Reputation: 10095

In addition to @David answer. You can do formatting of this column in your RowBoundData Event.

In case of non admin user, don't set the text to this control.

protected void grd_RowDataBound(object sender, GridViewRowEventArgs e)
{
    if (e.Row.RowType == DataControlRowType.DataRow)
    {
        Label SecuredColumn = (Label)e.Row.FindControl("SecuredColumn");
        if (Request.ServerVariables.Get("LOGON_USER").Split('\\')[1] == "MyAdminUser")
        {
            SecuredColumn.Text = ((YourClass)e.Row.DataItem).YourPropertyName;
            SecuredColumn.Visible = true;
        }
        else
        {
            SecuredColumn.Visible = false;
        }
    }
}

Upvotes: 1

David
David

Reputation: 73564

The control is stored in the Viewstate even if the visibility is set to false. The viewstate isn't encrypted, it's just Base-64 encoded. Theoretically, it is possible to parse the viewstate and extract values, so it's not 100% secure, but it would be difficult for most people to exploit the weakness and extract the values.

For minor things it's probably OK to do this, but if you're protecting really sensitive data, I'd find another method for hiding the data, or just not have it go to the client at all. For a control, maybe add it dynamically in code-behind for admin users rather than setting it's visibility to false.

And of course, practice defense-in-depth.

Simply hiding controls is known as "Security by obscurity" which isn't much security at all. It IS a valid additional layer of security, but you should absolutely not be relying on it (hiding links to sensitive information assuming that you can't get to it if you don't know the URL, for example). If you do use it to hide links, you still need to protect those pages with as much care as you would if the links weren't "hidden". There are many ways that attackers find such "hidden" links.

Upvotes: 5

Related Questions