How is Response.Redirect() Impacting My Site?

Can people ignore your Response.Redirect() and potentially gain access to pages they shouldn't be able to access? (tl;dr YES)

Response.Redirect() is defined in the MSDN as:

Redirects a client to a new URL. Specifies the new URL and whether execution of the current page should terminate.

Whether the exceution of the page should terminate? What does that mean and how is it impacting your site? Do you actually have a giant security hole in your site because of this?

If you use Response.Redirect, you want to read this.

I bring this up because I see a lot of code that just specifies:


Which gets executed as:

Response.Redirect("~/my-new-url", true);

Where true determines whether to end the response or not. Ending the response terminates execution of the page by throwing a ThreadAbortionException... which has a detrimental effect on web performance, which is why "passing false for the endResponse parameter is recommended".

Let's take a look at what this means.

By installing the NoRedirect add-on for FireFox you can see what happens when you use Response.Redirect(), because you can stop the 302 redirect that occurs. For this scenario, we are going to use an Admin page, which for some reason you only secured using the code-behind.

protected void Page_Load(object sender, EventArgs e)
     if (!(CurrentUser.IsAuthenticated() && CurrentUser.IsAdmin()))
          .... do cool admin stuff     

Because this made it secure, right? Right??

In the case above, for non-Admin users, the page is served up as:

Redirect Example 1

That's good... because a regular user NOT using NoRedirect would just be redirected... and none-the-wiser. (except for your ThreadAbortionException)

It served up a 302 redirecting the person back to the home page. But MSDN said not just to do Response.Redirect("~/"); and instead do Response.Redirect("~/", false); because we want to be efficient!

Now what happens? Well, your page execution completes, so this:

Response.Redirect option 2

Uh oh. Now your admin page is exposed. And if for some unknown reason you aren't rechecking security on post-back, you have a big issue. There are ways for you to fix this (one way is to wrap all the content in a <div runat="server" visible="false"> and only show it if they are in the correct role).

I hope this gives you something to think about.

Happy coding!