Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does HttpContext.Current.User.Identity.Name work? and how secure is it?

I am using HttpContext.Current.User.Identity.Name to get the user name of the logged in user. I would like to know how this is working (using NTLM v2 / Kerberos) and how secure is it? Can the user try to mimic he is someone else?

Basically, from a security point of view, is there something I should be worried about, or how should I improve it?

like image 767
Ryan S Avatar asked Nov 16 '12 10:11

Ryan S


People also ask

What is HttpContext current user identity?

It just holds the username of the user that is currently logged in. After login successful authentication, the username is automatically stored by login authentication system to "HttpContext.Current.User.Identity.Name" property.

How do you set HttpContext user identity for an application manually?

You can achieve this by manually settings HttpContext. User: var identity = new ClaimsIdentity("Custom"); HttpContext. User = new ClaimsPrincipal(identity);

What is user identity name?

Techopedia Explains User Identification (User ID)Typically in an authentication process, user ID is used in conjunction with a password. The end-user must provide both of the credentials correctly to gain access to the system or application.

What is HttpContext?

The HttpContext encapsulates all the HTTP-specific information about a single HTTP request. When an HTTP request arrives at the server, the server processes the request and builds an HttpContext object. This object represents the request which your application code can use to create the response.


1 Answers

If you are authenticating using Windows authentication (which, given your mention of NTLM/Kerberos it appears you are) then what happens is (roughly) as follows

  • IE sends a request with no authentication header to your web server.
  • IIS refuses the request with a 401 response code and tells the browser the authentication scheme it wants (in this case Negotiate, which tries Kerberos first, and then falls back to NTLM)
  • The kerb handshake takes place over multiple connections, and the ticket is validated against AD
  • IIS passes the ticket down to ASP.NET which, in the process of building the Request object populates the principal on the thread assigned to the request with the identity details from the ticket.
  • When you access HttpContext.User you see the principal for the current thread.

It's secure. It's basically the same authentication type used when you connect to a Windows server via file shares or anything else that is using kerberos. It's actually IIS and Windows itself doing the vast majority of the work, ASP.NET is just giving you a nice way to query the results.

like image 117
blowdart Avatar answered Oct 06 '22 07:10

blowdart