locked
Alter HttpContext.Current.User.Identity.Name from the client RRS feed

  • Question

  • User-802546231 posted

    I'm reviewing some code for a colleague and want to be sure about this before I raise it (office politics rubbish...)

    Would it be possible for someone with malicious intent to alter  the value of HttpContext.Current.User.Identity.Name from the client side?

    Monday, February 16, 2015 11:08 AM

Answers

  • User753101303 posted

    Hi,

    Likely depends on which authentication method is used. You won't be able to do that directly but you could stole authentication cookies and reuse them on your own machine to be logged as this user.

    A first step is likely to make sure to use SSL with a strong encryption. Try https://msdn.microsoft.com/en-us/library/ff648341.aspx ("outdated" but still seems helpfull to me).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, March 4, 2015 7:12 AM

All replies

  • User-734925760 posted

    Hi,

    So far as I know, you need to disable anonymous authentication and enable windows authentication, you should be able to the the username. Then you can use it and update it.

    For more information, please refer to the link below:

    http://forums.asp.net/t/1740169.aspx?How+to+get+Client+UserName+in+asp+net

    Hope it's useful for you.

    Best Regards,

    Michelle Ge

    Monday, February 16, 2015 9:43 PM
  • User-802546231 posted

    Hi, I know how to use windows authentication, what I'm asking is it possible for a client to fake this, i.e. pretend it is a user it is not or replace the name with some other value.

    for example, if a client was able to replace this value with ";drop schema;" someone not parameterising their sql could be in a spot of trouble

    Tuesday, February 17, 2015 4:49 AM
  • User-734925760 posted

    Hi,

    So far as I know, I don't think it's ok to replace the name.

    Best Regards,

    Michelle Ge

    Tuesday, February 24, 2015 12:30 AM
  • User-802546231 posted

    sorry, I wasn't asking if it was ok, I was wondering if it is at all possible?

    Monday, March 2, 2015 11:44 AM
  • User753101303 posted

    Hi,

    Likely depends on which authentication method is used. You won't be able to do that directly but you could stole authentication cookies and reuse them on your own machine to be logged as this user.

    A first step is likely to make sure to use SSL with a strong encryption. Try https://msdn.microsoft.com/en-us/library/ff648341.aspx ("outdated" but still seems helpfull to me).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, March 4, 2015 7:12 AM