Home All Groups Group Topic Archive Search About

Custom IIdentity w/ FormsAuthentication

microsoft.public.dotnet.framework.aspnet
Author
6 Jan 2006 8:29 AM
Spam Catcher
Hi all,

I created a custom IIdentity class to store additional properties for a
logged in user.

The only way I've been able to assign a custom IIdentity when using
FormsAuthentication is to swap it in the Begin_AuthenticateRequest event in
the global.asax.

Is it safe to susbstitute a custom IIdentity in place of the "standard"
FormsIdentity?

Does anyone know if this will create any security problems?

I've swapped my custom IIdentity into a GenericPrincipal and it seems to
work ok...

--
Stan Kee (spamhoneypot@rogers.com)

Author
7 Jan 2006 12:12 AM
sloan
Here is a decent article.
http://www.leastprivilege.com/ContextUserVsThreadCurrentPrincipal.aspx

Are you saying that:
// Attach the new principal object to the current HttpContext object
Context.User = principal;


fails, unless you have it in
Begin_AuthenticateRequest ?




Spam Catcher wrote:
Show quote
> Hi all,
>
> I created a custom IIdentity class to store additional properties for a
> logged in user.
>
> The only way I've been able to assign a custom IIdentity when using
> FormsAuthentication is to swap it in the Begin_AuthenticateRequest event in
> the global.asax.
>
> Is it safe to susbstitute a custom IIdentity in place of the "standard"
> FormsIdentity?
>
> Does anyone know if this will create any security problems?
>
> I've swapped my custom IIdentity into a GenericPrincipal and it seems to
> work ok...
>
> --
> Stan Kee (spamhoneypot@rogers.com)
Author
7 Jan 2006 4:17 AM
Spam Catcher
sl***@ipass.net wrote in news:1136592775.521688.25760
@g44g2000cwa.googlegroups.com:

> Are you saying that:
> // Attach the new principal object to the current HttpContext object
> Context.User = principal;
>
>
> fails, unless you have it in
> Begin_AuthenticateRequest ?
>

I've attached a custom principal AND custom identity within the
Application_AuthenticateRequest event handler ... and it seems to be
working OK???

So what I'm worried out:

I am no longer using the FormsIdentity Object - yet forms authentication
works OK. Have I created any security holes?

--
Stan Kee (spamhoneypot@rogers.com)

AddThis Social Bookmark Button

Post Other interesting topics
HttpWeb Request from Class Library fails to 500
How do I convert a DataSet to a String from a WebService
WebResource.axd request causing errors
when debugging long delay before hitting breakpoint in page load
Calendar Control