All geek questions in one place

Why use FormsAuthenticationTicket with Windows Authentication?

I read a ton of things on the Internet about authentication and authorization and finally settled on some code that seems to work ... but I don’t quite understand everything that it does (as far as FormsAuthenticationTicket).

In the MVC application I'm working with, some sensitive data will be processed, and I want to triple check everything that I do that is related to authentication and authorization.

I am using windows auth;

<authentication mode="Windows" /> <authorization> <deny users="?"/> </authorization>

I have a set of tables in SQL Server with additional user information and permission.

  • Users
  • Roles
  • UsersInRoles
  • Other tables that define objects in the application and their associated permissions.

In my Global.asax, I have the following methods inspired by

http://www.codeproject.com/Articles/5182/Insight-into-Security-Model-using-Principal-and-Id

 protected void WindowsAuthentication_OnAuthenticate(object sender, WindowsAuthenticationEventArgs e) { if (e.Identity == null || !e.Identity.IsAuthenticated) { //Redirect to error or access denied page } string userData = e.Identity.AuthenticationType; var cachedUser = HttpContext.Current.Cache[e.Identity.Name] as User; if (cachedUser == null) { var user = repo.GetUserByFullUserName(e.Identity.Name); HttpContext.Current.Cache.Insert(e.Identity.Name, user, null, DateTime.Now.AddMinutes(2), Cache.NoSlidingExpiration); cachedUser = HttpContext.Current.Cache[e.Identity.Name] as User; } var userIdentity = e.Identity.Name; var formsAuthTicket = new FormsAuthenticationTicket(1, e.Identity.Name, DateTime.Now, DateTime.Now.AddMinutes(2), false, userData); var encryptedTicket = FormsAuthentication.Encrypt(formsAuthTicket); var httpcook = new HttpCookie("authCookie", encryptedTicket); Response.Cookies.Add(httpcook); } protected void Application_AuthenticateRequest(object sender, EventArgs e) { if (Request.IsAuthenticated) { var httpcook = Context.Request.Cookies["authCookie"]; var formsAuthTicket = FormsAuthentication.Decrypt(httpcook.Value); var cachedUser = GetCachedUser(formsAuthTicket.Name); if (cachedUser == null) { cachedUser = CreateCachedUser(formsAuthTicket.Name); } var genIdentity = new GenericCustomIdentity(cachedUser, Request.IsAuthenticated, formsAuthTicket.UserData); var genPrincipal = new GenericCustomPrincipal(genIdentity, cachedUser); HttpContext.Current.User = genPrincipal; } }

So here are my questions:

  • Why do I need a FormsAuthenticationTicket in the WindowsAuthentication_OnAuthenticate method? Can't I just create Identity and Principal objects in the WinAuth method?

  • Does user data in HttpContext.Current.Cache pose a security risk? Since these methods are called many times, I do not want to hit every single request. Is there a safer alternative?

  • I am not familiar with the use of FormsAuthenticationTickets, Identity and Principal, so any comments or suggestions would be greatly appreciated. Sorry, this is not a question.

+6
source share
1 answer

Why do I need a FormsAuthenticationTicket in the WindowsAuthentication_OnAuthenticate method? Can't I just create Identity and Principal objects in the WinAuth method?

Identity and Principal objects exist only during the current call / request from the client. They are part of the HttpContext and, due to the lack of a better term, are removed at the end of the request. As soon as the authenticated person connects again, a new request is created, and by default they are not authenticated.

FormsAuthenticationTicket (default) uses a client-side cookie to store authentication information for each subsequent request. This allows the Application_AuthenticateRequest method to use cookies to reauthorize the request.

Does user data in HttpContext.Current.Cache save a security risk? Since these methods are called many times, I do not want to hit every single request. Is there a safer alternative?

HttpContext.Cache is stored in memory. If the server resets or the application pool restarts for any reason, the cache has disappeared.

Yes, this is a security risk, you save user information - this is server memory. However, the risk is very small if someone did not have the code to find out how you use the cache, and you can download the code to read the cache.

I am not familiar with the use of FormsAuthenticationTickets, Identity and Principal, so any comments or suggestions would be greatly appreciated. Sorry, this is not a question.

What about references to the HttpContext.User (IPrincipal) with it the property Identity of type IIdentity . Not the most descriptive answer, but both interfaces are extremely simple.

+3
source

Source: https://habr.com/ru/post/947256/

More articles:


All Articles