O'Reilly logo

Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB by Stefan Schackow, Bilal Haidar

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

3.4. Summary

On each ASP.NET request, there are four different security identities to be aware of:

  • The operating system thread identity.

  • The request authenticated identity set by IIS.

  • The IPrincipal available on Thread.CurrentPrincipal.

  • The IPrincipal available from HttpContext.Current.User

If you are using Windows authentication in your ASP.NET application, then the impersonation token from IIS is used to create a WindowsIdentity for both the current thread and the current context. If the current request is an anonymous user, then the WindowsIdentity is just the value of WindowsIdentity.GetAnonymous. For authenticated users, the WindowsIdentity represents the authenticated user credentials from the IIS impersonation token. For applications running on a UNC share, the WindowsIdentity that is created represents either the anonymous user account configured in IIS or the credentials that were used to authenticate the user.

If you are using forms authentication, though, the impersonation token set by IIS has no bearing on the security information set on the thread and the context. Instead, for authenticated users, the FormsAuthenticationModule will create a GenericPrincipal containing a FormsIdentity and set this value on the current context's User property.

If no authentication module sets an IPrincipal on the current context's user property, the hidden DefaultAuthenticationModule will create a GenericPrincipal with a username set to the empty string and set this value on the current ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required