Last post Mar 04, 2015 07:12 AM by PatriceSc
Feb 16, 2015 11:08 AM|Dr. Acula|LINK
I'm reviewing some code for a colleague and want to be sure about this before I raise it (office politics rubbish...)
Would it be possible for someone with malicious intent to alter the value of HttpContext.Current.User.Identity.Name from the client side?
Feb 16, 2015 09:43 PM|Michelle Ge - MSFT|LINK
So far as I know, you need to disable anonymous authentication and enable windows authentication, you should be able to the the username. Then you can use it and update it.
For more information, please refer to the link below:
Hope it's useful for you.
Feb 17, 2015 04:49 AM|Dr. Acula|LINK
Hi, I know how to use windows authentication, what I'm asking is it possible for a client to fake this, i.e. pretend it is a user it is not or replace the name with some other value.
for example, if a client was able to replace this value with ";drop schema;" someone not parameterising their sql could be in a spot of trouble
Feb 24, 2015 12:30 AM|Michelle Ge - MSFT|LINK
So far as I know, I don't think it's ok to replace the name.
Mar 02, 2015 11:44 AM|Dr. Acula|LINK
sorry, I wasn't asking if it was ok, I was wondering if it is at all possible?
Mar 04, 2015 07:12 AM|PatriceSc|LINK
Likely depends on which authentication method is used. You won't be able to do that directly but you could stole authentication cookies and reuse them on your own machine to be logged as this user.
A first step is likely to make sure to use SSL with a strong encryption. Try
https://msdn.microsoft.com/en-us/library/ff648341.aspx ("outdated" but still seems helpfull to me).