views:

70

answers:

4

From a security stand point what are a couple major points that would aid in the result of using a .master file versus a .aspx file?

+1  A: 

Technically, there's no major difference from a security standpoint. You could implement your security logic from within the Master page, which would insure that it's included on every page that uses that MasterPage. You could argue this makes things more secure because there is less chance for human error :).

o6tech
A: 

Its a trick homework question -- neither should have anything to do with security.

Wyatt Barnett
+1  A: 

From a security standpoint, there isn't really a difference in a .master file and a .aspx file. They do have a unique execution path when it comes to a page life cycle, but they are executed in the same way and would be prone to the same security flaws & protections.

That said, the reduction of code that a .master file allows (as well as forcing you to think about generaliation) will go a long way in helping you develope a reliable (related to security) website.

Kevin
Thank you Kevin. I ask because on a current project app dev have opt'd to use .master as content pages rather than .aspx and I am unsure why. I will look into the unique execution paths for more direction.
Smccullough
+1  A: 

Both master and content page make up 1 rendered page in your browser. The master page is there to create a common look and feel throughout your entire site, or parts of it. You can even nest master pages if needed.

ASP.NET as a whole already has quite some security hooks built in by default. RequestValidation to prevent malicious input, parametrized queries are possible to prevent SQL injection, Membership for authentication, Roles for authorization, UrlAuthorization to prevent people of guessing urls and might be able to see sensitive data, ...

Be sure to also check out patterns & practices Security How Tos Index.

XIII