Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does HttpContext.Current.User.Identity.Name work? and how secure is it?

Tags:

c#

security

asp.net

iis

I am using HttpContext.Current.User.Identity.Name to get the user name of the logged in user. I would like to know how this is working (using NTLM v2 / Kerberos) and how secure is it? Can the user try to mimic he is someone else?

Basically, from a security point of view, is there something I should be worried about, or how should I improve it?

like image 767
Ryan S Avatar asked Nov 16 '12 10:11

Ryan S

People also ask

What is HttpContext current user identity?

It just holds the username of the user that is currently logged in. After login successful authentication, the username is automatically stored by login authentication system to "HttpContext.Current.User.Identity.Name" property.

How do you set HttpContext user identity for an application manually?

You can achieve this by manually settings HttpContext. User: var identity = new ClaimsIdentity("Custom"); HttpContext. User = new ClaimsPrincipal(identity);

What is user identity name?

Techopedia Explains User Identification (User ID)Typically in an authentication process, user ID is used in conjunction with a password. The end-user must provide both of the credentials correctly to gain access to the system or application.

What is HttpContext?

The HttpContext encapsulates all the HTTP-specific information about a single HTTP request. When an HTTP request arrives at the server, the server processes the request and builds an HttpContext object. This object represents the request which your application code can use to create the response.

1 Answers

If you are authenticating using Windows authentication (which, given your mention of NTLM/Kerberos it appears you are) then what happens is (roughly) as follows

  • IE sends a request with no authentication header to your web server.
  • IIS refuses the request with a 401 response code and tells the browser the authentication scheme it wants (in this case Negotiate, which tries Kerberos first, and then falls back to NTLM)
  • The kerb handshake takes place over multiple connections, and the ticket is validated against AD
  • IIS passes the ticket down to ASP.NET which, in the process of building the Request object populates the principal on the thread assigned to the request with the identity details from the ticket.
  • When you access HttpContext.User you see the principal for the current thread.

It's secure. It's basically the same authentication type used when you connect to a Windows server via file shares or anything else that is using kerberos. It's actually IIS and Windows itself doing the vast majority of the work, ASP.NET is just giving you a nice way to query the results.

like image 117
blowdart Avatar answered Oct 06 '22 07:10

blowdart
Sign in to Comment

Related questions

Generic method to read data from DataReader
MVC 4 SimpleMembership HasLocalAccount method not found
How to Convert EventArgs when wiring events?
C# / VB.Net Task vs Thread vs BackgroundWorker
Relay Command in windows 8 windows store app
How to set Json.NET ContractSerializer for a certain specific type instead of globally?
Packaging repositories and their interfaces in DDD
.NET IL ByteCode Optimizer [closed]
Data grouping in SQL
Is noda-time applicable in this case?
how do Value Types in .NET actually work?
how to get more information on an exception
Pluralize Swedish Words?
If SqlDataAdapter uses a data reader internally, why do people say that using a SqlDataReader is faster?
Active Directory Group Membership Checking in .Net 4.5
Make Levenstein's Distance algorithm fit my needs
C# Merge Two SortedLists (Union?)
Numbered list on Richtextbox
Partial ungrouping list of duplicate values
How to get UTC Offset during DST time in .NET

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!