Security Issues Retrieving Authentication Ticket From Current Httpcontext Rather Than From Authentication Cookie
From: Mike (anonymous_at_discussions.microsoft.com)
Date: 03/31/04
- Previous message: Ken Schaefer: "Re: apsnet_wp.exe non-default identity vs. System.Web.Mail.SmtpMail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Mar 2004 18:16:08 -0800
Hi, I asked this question earlier but either no one could understand what I was asking or didn't know the answer, so I'll try again. What are security issues or risks if any involved in retrieving the authentication ticket from the current httpcontext rather than retrieving it from authentication cookie. Most of the examples I have come across retrieve the authentication ticket from the authentication cookie. I don't know how the httpcontext is built so an explantion or link might help.
Here are two snippets of code showing how to assigned a principal to the current httpcontext.
// Create principal from roles contained in the current httpcontext authentication tickets' userdata field
if (Context.Request.IsAuthenticated)
{
string[] arrRoles;
FormsIdentity ident;
// retrieve user's identity from httpcontext user
ident = (FormsIdentity)Context.User.Identity;
// retrieve roles from the authentication ticket userdata field
arrRoles = ident.Ticket.UserData.Split(new char[] {'|'});
// create principal and attach to user
Context.User = new GenericPrincipal(ident, arrRoles);
}
---------------------------------------------------------------------------------------------------------------------
// Create principal from roles contained in the authentication cookie's authentication tickets' userdata field
//extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if (null == authCookie)
{
//there is no authentication cookie
return;
}
//extract and decrypt the authentication ticket from the forms authentication cookie
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch//(Exception ex)
{
return;
}
if (null == authTicket)
{
//cookie failed to decryt
return;
}
//parse out the pipe separate list of role names attached to the ticket when
//the user was originally authenticated
//when the ticket was created, the UserData property was assigned a
//pipe delimited string of role names
string[] roles = authTicket.UserData.Split(new char[] {'|'});
//create a FormsIdentity object with the user name obtained from the ticket name
//and a GenericPrincipal object that contains this identity together with the user's role list
//create an Identity object
FormsIdentity id = new FormsIdentity(authTicket);
//this principal will flow throughout the request
GenericPrincipal principal = new GenericPrincipal(id, roles);
//attach the new principal object to the current HttpContext object
Context.User = principal;
- Previous message: Ken Schaefer: "Re: apsnet_wp.exe non-default identity vs. System.Web.Mail.SmtpMail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
