Control Visibility, ViewState and Security and Performance
It is not unheard of to come across a solution where use of asp:Placeholder and asp:Panel (or some other container) Visibility is employed to show/hide certain details from the user especially when when implementing "simple" Authorization/Permission features ("simple" since there are likely more complicated and/or better ways to handle it) Of course you could always implement declarative authorization features in ASP.NET but I believe it would cause the user to be redirected to the page identified as the login url and might not be applicable if you want to stay on the same page.
So if you simply perform checks in code you might have the following approach: Does User.Indentity.Name have permission to view this page? Yes/No? If yes, display contents of panel/placeholder, if no set their visibility to false.
Simple and might do the trick.
BUT never forget that although they are invisible, some values might be present in the viewstate (eg. values bound to gridview inside the panel/placeholder). Although viewstate might look cryptic, remember that it is just base 64 encoded string. And although you could have employ encrypted ViewState, it would still be not a good idea and you will have unnecessary overhead.
So just a quick note to self (and possibly others) that settings PlaceHolder/Panel visibility to false doesn't stop it from saving information in viewstate. Obvious to some but not to all so if you're guilty, better fix that code before someone gets to see something they shouldn't.
I'm also interested how best to implement this in code (not using ASP.NET built-in declarative authorization rules - ie. in web.config). HttpModule maybe? But note that I would want the resulting page to have the same look and feel (still use master page) rather than simply a text in the page (and nothing more) or worst an exception throw because user doesn't have view permission for example, nor redirected to a generic page. I'll try to explore this but someone who might have a good idea out there comes across this and shares his/her notes.
UPDATE: I just realized that aside from the security consideration in this case disabling viewstate when not need would improve performance significantly (depending on how items you have in your page makes use of viewstate - eg. disabling view state when hiding a gridview is significant) so adding Performance to the title as well.
Also, be cautious about disabling view state. It is used by control to persist information across postbacks so if you do disable them make sure you test your page well.
* Cross post from .NET Developer Notes on Control Visibility, ViewState and Security and Performance