It is like an internal pass - the client isn't aware of it. If the client
gets between the two pages, then you have to validate your data. If it's
already validated, then you can continue to trust it.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
"Tim Almond" <anon@anon.co.uk> wrote in message
news:OD1dDu%23aDHA.1204@TK2MSFTNGP12.phx.gbl...
>
> "Chris Jackson" <chrisj@mvps.org> wrote in message
> news:%23SGMy89aDHA.384@TK2MSFTNGP12.phx.gbl...
> > If you use Server.Transfer, you can always use
> > System.Web.HttpContext.Items.Add to pass something in to your request to
> the
> > new page.
> >
> > As for retrieving properties from the source page, any time you rely on
> > information that comes from the client, you can't trust it. So, if
you're
> > getting it from session state, then you are fine. But, say for example,
> that
> > you have a form that gives you options based on your credentials. As an
> > employee, I may have the option of requesting a vacation day, but as a
> > manager I can request, approve, or deny a vacation day. If I am a
> malicious
> > user, I can just create my own HTML form to post back an approval, even
> > though I wouldn't see that option on the form that you gave me.
> >
> > Viewstate is a way for the server to pass information back and forth
from
> > itself - nothing is added to it on the client side.
> >
> > --
> So to use Server.Transfer, I'd still have to validate the Case Code
against
> the user ID on the page in case the input had been hacked? I thought the
> idea of the Server.Transfer was that it was like an internal 'pass'.
>
>