000019719 - Using ASP's Server.Transfer() function call

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019719
Applies ToRSA ACE/Agent 4.4 for Windows NT (no longer supported as of 3-3-2003)
RSA ACE/Agent 5.0 for Windows
Microsoft Internet Information Server (IIS) 5.0
IssueUsing ASP's Server.Transfer() function call
Although the use of Server.Transfer() can improve the Web server's performance, it may effectively bypass the RSA ACE/Agent protection of the transferred file. For example, if the ASP file containing Server.Transfer() is not protected by RSA's ACE/Agent, the user will not be challenged for their RSA SecurID authentication when Server.Transfer() executes a HTTP forward to another file protected by the ACE/Agent within the Web server.
CauseThe RSA ACE/Agent on the IIS Web server is designed to intercept requests coming from outside the Web server. Therefore, RSA strongly recommends against using Server.Transfer() with the ACE/Agent in a mix-protected and mix-unprotected file environment.
ResolutionIf your organization requires the use of Server.Transfer(), RSA recommends protecting all ASP files initiating the transfer with the ACE/Agent.
Legacy Article IDa11832