Hi Derek,

Before we answer your question if this is safe or not, then we must know more about how exactly you are going to pass the parameters from the AspPageBox to the .aspx page. The AspPageBox itself is equally secure as other Visual WebGui controls, but the overall security depends on the parameter passing and the .aspx page itself. If you want us to review your method, then I suggest you assemble a minimal app demonstrating the method you chose and send it to support so we can take  a look.

Generally, you can go along way yourself by simply testing the .aspx page in your popup window with parameters already passed, by viewing the generated Html code, scripts etc. and see if there is a way to "sniff" the parameters and then test or experiment if there is a way to load the .aspx page directly from the browser knowing the parameters.

Palli

Hi Derek,

It is very hard for me to reply a yes to your question, as you are outside of Visual WebGui issues here. Based on what you say that you guarantee that the parameters you are porting can not be changed on the target aspx page, then my answer can only be that Visual WebGui is secure in terms of the logic used to build those parameters and posting them. However, after you have posted them, your are down to the mercy of standard ASP.NET if the parameters can be changed, as you are using a standard ASP.NET web page for the rest of your processing, and that is where we were pointing your concerns. If you are still concerned, please view one of the ASP.NET forums and/or post your question there.

Regarding the difference between AspPageBox and AspPageBase, then there is quite a difference between the two. Using AspPageBox, you use the Path property to point to a normal .aspx page. This effectively gives you very limited control of that aspx page and your Visual WebGui application and that .aspx page will effectively be running as two distinct application within your website, very similar to what HtmlBox can do.

Using AspPageBase, you are working on the same level as the ASP.NET wrapper does. Put in simple words, then it is actually working on object level, feeding the responses/reqeusts through the Visual WebGui pipeline for every request/response which gives you a whole lot more secure implementation, as well as much more interoperability between your Visual WebGui application and your "wrapped" control.

Hope this explains,

Palli

Hello Derek,

I need you to realize that by making descisions based on things that are sent to the client and can be changed by the client cause security holes.
What I was telling you before in fact is that I think you should keep all your logic in server-side and leave the client to only be able to show the content you require, based on that logic.
If you can keep from exposing an ASP.NET page from being deliverable by your IIS, that would also help.

If you decide to use an ASP.NET page on your application, you could use the Session object to store specific session variables to pass information to the ASP.NET page you need to show.
These variables will not be in the session object if the user will access the ASP.NET page URL directly.
Please remember to dispose of the session variables once you no longer need to access them.

HTTPS secures the information being transferred between IIS and the client browser and back. As such I am not sure how it can help here.

The AspControlBoxBase and AspPageBox both derive directly from FrameControl, but are very different in their nature.
The AspPageBase derives from the Gizmox.WebGUI.Forms.Hosts.AspPipeLinePage that in turn derives from the System.Web.UI.Page class.
You can find the sources for these classes in the "Hosts" directory of the "Gizmox.WebGUI.Forms" project.

Regards,

Ori Cohen
Support Manager, the Visual WebGui team