Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is Request.IsLocal secure or can it be spoofed?

Tags:

security

asp.net

I have a webpage which checks for an encrypted cookie on page load to determine user identity. However, when I'm testing the page locally on my development box, I don't have access to that cookie.

Previously I used an appsetting to tell the page whether it was in development mode or not, and when in dev-mode it would load a fixed user identity. Then I discovered Request.IsLocal

I can simply check like this:

if(Request.IsLocal){
   FormsAuthentication.SetAuthCookie("testUser", false);
}else{
   FormsAuthentication.SetAuthCookie(/*EncryptedCookieValue*/, false);
}

Is this secure? Is there any way a malicious user could spoof IsLocal?

like image 376
Slider345 Avatar asked Sep 25 '13 16:09

Slider345

1 Answers

I think your actual question is, how do you have development only functionality?

You could you use: Environment.UserInteractive
http://msdn.microsoft.com/en-us/library/system.environment.userinteractive.aspx

It returns false when running in IIS or a Windows Service, true when their is a user interface i.e. Visual Studio when your developing.

I think this is better than a DEBUG pre processor variable because the behaviour is more consistent, you could accidentally upload a DEBUG version of your dll to your live environment unless you have a very tight build/release process.

As a rule of thumb it's not a good idea to trust anything from the client.
I'd also be pragmatic, what are you protecting and how much effort would someone go to hack in?

The below SO post goes into some of the reasons why you shouldn't trust it:
Can I fool HttpRequest.Current.Request.IsLocal?

Reference
You can view the source at http://referencesource.microsoft.com

public bool IsLocal { 
   get {
      String remoteAddress = UserHostAddress; 

      // if unknown, assume not local
      if (String.IsNullOrEmpty(remoteAddress))
         return false; 

      // check if localhost 
      if (remoteAddress == "127.0.0.1" || remoteAddress == "::1") 
         return true;

      // compare with local address
      if (remoteAddress == LocalAddress)
         return true;

      return false;
   }
like image 182
Ralph Willgoss Avatar answered Sep 22 '22 19:09

Ralph Willgoss
Sign in to Comment

Related questions

I deleted my web.config, how to recreate?
Custom form authentication / Authorization scheme in ASP.net MVC
Top 3 reasons not to develop a "blog system" that generates aspx files on the fly
How do I get ELMAH to work with SQL Server (permission problems)
How to popup a jquery window to play youtube video?
default border color for .net textbox
ASP.NET/JavaScript - Why Isn't "Return False" Not Preventing Postback?
Using C# to dynamically generate CSS files
Fastest way to fill DataTable from LINQ query using DataContext
How can I get selected row cell value of grid view on page?
Display exception message through javascript alert in asp.net
Use if condition in ascx file
ASP.NET MVC alongside Web Forms in the same web app?
JSON payload for HttpClient in C#?
Microsoft.Office.Interop.Excel doesn't work on 64 bit
How to check object is null or empty in C#.NET 3.5?
MvcHtmlString.ToHtmlString() not encoding HTML?
When to use load balancing?
How to debug "The type initializer for 'my class' threw an exception"
asp.net caching limit? [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!