The page transferred to should be another .aspx page. For instance, a transfer to an .asp or .asmx page is not valid.

HttpServerUtility.Transfer(string, bool) calls HttpResponse.End, which throws a System.Threading.ThreadAbortException exception upon completion.

If you set the preserveForm parameter to true, the target page will be able to access the view state of the previous page by using the System.Web.UI.Page.PreviousPage property.

For security purposes, you should keep the enableViewStateMac attribute set to true. ASP.NET does not verify that the current user is authorized to view the resource delivered by the HttpServerUtility.Transfer(string, bool) method. Although the ASP.NET authorization and authentication logic runs before the original resource handler is called, ASP.NET directly calls the handler indicated by the HttpServerUtility.Transfer(string, bool) method and does not rerun authentication and authorization logic for the new resource. If your application's security policy requires clients to have appropriate authorization to access the resource, the application should force reauthorization or provide a custom access-control mechanism.

You can force reauthorization by using the erload:System.Web.HttpResponse.Redirect method instead of the HttpServerUtility.Transfer(string, bool) method. The erload:System.Web.HttpResponse.Redirect method performs a client-side redirect in which the browser requests the new resource. Because this redirect is a new request entering the system, it is subjected to all the authentication and authorization logic of both Internet Information Services (IIS) and ASP.NET security policy.

You can verify that the user has permission to view the resource by incorporating a custom authorization method that uses the erload:System.Security.Principal.WindowsPrincipal.IsInRole method before the application calls the HttpServerUtility.Transfer(string, bool) method.

Namespace: System.Web
Assembly: System.Web (in System.Web.dll)
Assembly Versions: 1.0.5000.0, 2.0.0.0