Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

difference between http.context.user and thread.currentprincipal and when to use them?

Tags:

c#

security

asp.net

genericprincipal

I have just recently run into an issue running an asp.net web app under visual studio 2008. I get the error 'type is not resolved for member...customUserPrincipal'. Tracking down various discussion groups it seems that there is an issue with Visual Studio's web server when you assign a custom principal against the Thread.CurrentPrincipal.

In my code, I now use...

HttpContext.Current.User = myCustomPrincipal
//Thread.CurrentPrincipal = myCustomPrincipal

I'm glad that I got the error out of the way, but it begs the question "What is the difference between these two methods of setting a principal?". There are other stackoverflow questions related to the differences but they don't get into the details of the two approaches.

I did find one tantalizing post that had the following grandiose comment but no explanation to back up his assertions...

Use HttpConext.Current.User for all web (ASPX/ASMX) applications.

Use Thread.CurrentPrincipal for all other applications like winForms, console and windows service applications.

Can any of you security/dot.net gurus shed some light on this subject?

like image 467
yamspog Avatar asked Jun 16 '10 23:06

yamspog

People also ask

What is thread CurrentPrincipal in C#?

Thread. CurrentPrincipal is the way . NET applications represent the identity of the user or service account running the process. It can hold one or more identities and allows the application to check if the principal is in a role through the IsInRole method. Most authentication libraries in .

What is HttpContext user?

The User property provides programmatic access to the properties and methods of the IPrincipal interface. Because ASP.NET pages contain a default reference to the System. Web namespace (which contains the HttpContext class), you can reference the members of HttpContext on an .

1 Answers

The first thing that the HttpApplication object does when it acquires a thread is to set the thread's principal to the HttpContext's principal. This syncs up the principals.

If, however, you go and set the Thread's principal later on, the HttpApplication internally still has a different principal set for the user context. This is why you should always set it through the HttpContext.

(If you take a look in Reflector, you can see the complex code that runs when you do a "set" on HttpContext.User - it does a lot of internal stuff with IIS to properly set the principal.)

like image 192
womp Avatar answered Sep 28 '22 18:09

womp
Sign in to Comment

Related questions

NSubstitute - Check arguments passed to method
How can I fix Visual Studio 2015 exception Microsoft.vshup.server.httphostx64.exe has stopped working when run project
C# Dynamic select List of strings
What is the purpose of casting into "object" type?
How to call an async task inside a timer? [duplicate]
Best way to "push" into C# array
What is the ValueTask equivalent of Task.CompletedTask?
Irregular shaped Windows Form (C#)
Write Unit tests into an assembly or in a separate assembly?
How do I add multiple namespaces to the root element with XmlDocument?
Getting proxies of the correct type in NHibernate
Looking for a tool to quickly test C# format strings [closed]
In .NET remoting what is the difference between RemotingConfiguration.RegisterWellKnownServiceType and RemotingServices.Marshal?
Why does adding the @ symbol make this work?
How do I create a new delegate type based on an existing one, in C#?
How can I programmatically scroll a WPF listview?
DataGridView throwing "InvalidOperationException: Operation is not valid..." when adding a row
Bind the text of RichTextBox from Xaml
C# BackgroundWorker's culture
binding a usercontrol to the opposite of a bool property

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!