Alter HttpContext.Current.User.Identity.Name from the client

Question

User-802546231 posted

I'm reviewing some code for a colleague and want to be sure about this before I raise it (office politics rubbish...)

Would it be possible for someone with malicious intent to alter  the value of HttpContext.Current.User.Identity.Name from the client side?

Answer 1

User-734925760 posted

Hi,

So far as I know, you need to disable anonymous authentication and enable windows authentication, you should be able to the the username. Then you can use it and update it.

For more information, please refer to the link below:

http://forums.asp.net/t/1740169.aspx?How+to+get+Client+UserName+in+asp+net

Hope it's useful for you.

Best Regards,

Michelle Ge

Answer 2

User-802546231 posted

Hi, I know how to use windows authentication, what I'm asking is it possible for a client to fake this, i.e. pretend it is a user it is not or replace the name with some other value.

for example, if a client was able to replace this value with ";drop schema;" someone not parameterising their sql could be in a spot of trouble

Answer 3

User-734925760 posted

Hi,

So far as I know, I don't think it's ok to replace the name.

Best Regards,

Michelle Ge

Answer 4

User-802546231 posted

sorry, I wasn't asking if it was ok, I was wondering if it is at all possible?

Answer 5

User753101303 posted

Hi,

Likely depends on which authentication method is used. You won't be able to do that directly but you could stole authentication cookies and reuse them on your own machine to be logged as this user.

A first step is likely to make sure to use SSL with a strong encryption. Try https://msdn.microsoft.com/en-us/library/ff648341.aspx ("outdated" but still seems helpfull to me).