Answered by:
Alter HttpContext.Current.User.Identity.Name from the client

Question
-
User-802546231 posted
I'm reviewing some code for a colleague and want to be sure about this before I raise it (office politics rubbish...)
Would it be possible for someone with malicious intent to alter the value of HttpContext.Current.User.Identity.Name from the client side?
Monday, February 16, 2015 11:08 AM
Answers
-
User753101303 posted
Hi,
Likely depends on which authentication method is used. You won't be able to do that directly but you could stole authentication cookies and reuse them on your own machine to be logged as this user.
A first step is likely to make sure to use SSL with a strong encryption. Try https://msdn.microsoft.com/en-us/library/ff648341.aspx ("outdated" but still seems helpfull to me).
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Wednesday, March 4, 2015 7:12 AM
All replies
-
User-734925760 posted
Hi,
So far as I know, you need to disable anonymous authentication and enable windows authentication, you should be able to the the username. Then you can use it and update it.
For more information, please refer to the link below:
http://forums.asp.net/t/1740169.aspx?How+to+get+Client+UserName+in+asp+net
Hope it's useful for you.
Best Regards,
Michelle Ge
Monday, February 16, 2015 9:43 PM -
User-802546231 posted
Hi, I know how to use windows authentication, what I'm asking is it possible for a client to fake this, i.e. pretend it is a user it is not or replace the name with some other value.
for example, if a client was able to replace this value with ";drop schema;" someone not parameterising their sql could be in a spot of trouble
Tuesday, February 17, 2015 4:49 AM -
User-734925760 posted
Hi,
So far as I know, I don't think it's ok to replace the name.
Best Regards,
Michelle Ge
Tuesday, February 24, 2015 12:30 AM -
User-802546231 posted
sorry, I wasn't asking if it was ok, I was wondering if it is at all possible?
Monday, March 2, 2015 11:44 AM -
User753101303 posted
Hi,
Likely depends on which authentication method is used. You won't be able to do that directly but you could stole authentication cookies and reuse them on your own machine to be logged as this user.
A first step is likely to make sure to use SSL with a strong encryption. Try https://msdn.microsoft.com/en-us/library/ff648341.aspx ("outdated" but still seems helpfull to me).
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Wednesday, March 4, 2015 7:12 AM