Custom IIdentity w/ FormsAuthentication

Discussion in 'ASP .Net' started by Spam Catcher, Jan 6, 2006.

  1. Spam Catcher

    Spam Catcher Guest

    Hi all,

    I created a custom IIdentity class to store additional properties for a
    logged in user.

    The only way I've been able to assign a custom IIdentity when using
    FormsAuthentication is to swap it in the Begin_AuthenticateRequest event in
    the global.asax.

    Is it safe to susbstitute a custom IIdentity in place of the "standard"
    FormsIdentity?

    Does anyone know if this will create any security problems?

    I've swapped my custom IIdentity into a GenericPrincipal and it seems to
    work ok...

    --
    Stan Kee ()
     
    Spam Catcher, Jan 6, 2006
    #1
    1. Advertising

  2. Spam Catcher

    Guest

    Here is a decent article.
    http://www.leastprivilege.com/ContextUserVsThreadCurrentPrincipal.aspx

    Are you saying that:
    // Attach the new principal object to the current HttpContext object
    Context.User = principal;


    fails, unless you have it in
    Begin_AuthenticateRequest ?




    Spam Catcher wrote:
    > Hi all,
    >
    > I created a custom IIdentity class to store additional properties for a
    > logged in user.
    >
    > The only way I've been able to assign a custom IIdentity when using
    > FormsAuthentication is to swap it in the Begin_AuthenticateRequest event in
    > the global.asax.
    >
    > Is it safe to susbstitute a custom IIdentity in place of the "standard"
    > FormsIdentity?
    >
    > Does anyone know if this will create any security problems?
    >
    > I've swapped my custom IIdentity into a GenericPrincipal and it seems to
    > work ok...
    >
    > --
    > Stan Kee ()
     
    , Jan 7, 2006
    #2
    1. Advertising

  3. Spam Catcher

    Spam Catcher Guest

    wrote in news:1136592775.521688.25760
    @g44g2000cwa.googlegroups.com:

    > Are you saying that:
    > // Attach the new principal object to the current HttpContext object
    > Context.User = principal;
    >
    >
    > fails, unless you have it in
    > Begin_AuthenticateRequest ?
    >


    I've attached a custom principal AND custom identity within the
    Application_AuthenticateRequest event handler ... and it seems to be
    working OK???

    So what I'm worried out:

    I am no longer using the FormsIdentity Object - yet forms authentication
    works OK. Have I created any security holes?

    --
    Stan Kee ()
     
    Spam Catcher, Jan 7, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Mulholland

    Custom IIdentity class - how to set it?

    Tim Mulholland, Feb 20, 2004, in forum: ASP .Net
    Replies:
    6
    Views:
    4,667
    Steven Cheng[MSFT]
    Feb 24, 2004
  2. Craig Buchanan

    IIdentity casting problem

    Craig Buchanan, Feb 24, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    1,006
    Craig Buchanan
    Feb 24, 2004
  3. Amar

    Stupid Question ? IIdentity

    Amar, Dec 7, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    360
    Paul Glavich [MVP ASP.NET]
    Dec 7, 2004
  4. Random

    Custom IIdentity object casting

    Random, Jan 25, 2008, in forum: ASP .Net
    Replies:
    0
    Views:
    455
    Random
    Jan 25, 2008
  5. Corker

    Override User.Identity.Name or Custom IIdentity

    Corker, Mar 8, 2010, in forum: ASP .Net Security
    Replies:
    1
    Views:
    1,335
    Joe Kaplan
    Mar 10, 2010
Loading...

Share This Page