Last post Jun 30, 2008 12:02 PM by Jas001
Jun 30, 2008 11:29 AM|jaspersiegmund|LINK
During development of a web application, I'm running into a security problem which I don't exactly know how to fix.
I want to use the membership accounts from an Active Directory. So I've setup a connection string and when a user tries to log in I retrieve the AD user with the exact same username. The name specified by the client is set in the this.Request.ServerVariables["LOGON_USER"]
But is this secure enough? I would imagine it's not that hard to alter or recreate a HTTP header containing the LOGON_USER with a self specified value. You would only have to know (or guess) a correct AD account, the user is retrieved and
automatically logged in.
You might ask why I don't just use Windows Authentication and nothing else, but I also need a way of managing which users have permissions to access certain parts of the site. The navigation is all role based, and as far as I know it's not
possible to add an Active Directory user to a role defined in the SQL users/roles tables.
Any advice on this would be appreciated!
Jun 30, 2008 12:02 PM|Jas001|LINK
The LogonUser environment variable is used for enforcing logon on your site.
So, no its not a security risk if you require that they use a password. However for Userids I use windows authentication and get the userid like so:
Why not use sql to store your permissions? If you use AD, you will need to impersonate a specific account to get past security issues, and you'll have to write the code to query for the user and role through their groups.
Or, you can just grab their id and go look it up in a sql table. :) And, provide a little page to update security.