Menu
The application is already using Windows integrated security, not Forms. What I am trying to accomplish is a so called "step-up" authentication, or "force re-authentication" for the following scenario:
This would prevent the following two issues:
I know, some would look at this as "being paranoid", but also some would say it's common sense and should be build in a framework somewhere (jQuery or .NET)
510
Have the form send the credentials along with the request to perform the action, i.e., some actions require that you provide username/password. Use the PrincipalContext ValidateCredentials method to ensure that the proper credentials have been entered and check that the username supplied matches the current username in the User.Identity object.
public ActionResult SensitiveAction( SensitiveModel model, string username, string password )
{
using (var context = new PrincipalContext(ContextType.Domain))
{
if (!string.Equals(this.User.Identity.Name,username,StringComparison.OrdinalIgnoreCase)
|| !context.ValidateCredentials(username,password))
{
return View("PermissionDenied");
}
}
...
}
The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area
That works only the first time, but now the boss enters a sensitive area, re-enters her credentials, then goes for coffee. Are you going to prompt for every sensitive request? Users won't put up with that.
The user enters the credentials of his or her boss (because, let's say he peeked over the boss' shoulder) to access the sensitive area.
If someone knows and enters the credentials of their boss, there is nothing you can do to detect that.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
