 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / January 2006System.Environment.UserName
How secure is it to use System.Environment.UserName for login purposes. We have an Active Directory so I was thinking to just use UserName instead of prompting for a username and password and having to authenticate myself. There isn't a high need for water tight security, so this seems okay to use. Anyone see a reason not to? --Brian If the application doesn't protect super sensitive resources, this is common in intranet applications. jas' > How secure is it to use System.Environment.UserName for login purposes. > We have an Active Directory so I was thinking to just use UserName [quoted text clipped - 5 lines] > > --Brian hi, use WindowsIdentity.GetCurrent().Name --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > If the application doesn't protect super sensitive resources, this is > common in intranet applications. [quoted text clipped - 9 lines] >> >> --Brian Can't all the properties of these classes be extremely easily overridden using reflections? This would make even an amateur programmer using your assemblies capable of fooling the security strategy very easily would it? > hi, > use WindowsIdentity.GetCurrent().Name [quoted text clipped - 16 lines] >>> >>> --Brian Hi, you mean someone tampered with the class library?? You are absolutely right - just like someone who modified your OS system files.... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Can't all the properties of these classes be extremely easily > overridden using reflections? This would make even an amateur [quoted text clipped - 19 lines] >>>> >>>> --Brian The application isn't a library, so I'm not too worried about someone hacking it that way. (Side note, it wouldn't automatically fool the application, since the username would still need to be valid and there are role names that also are specified). I'm more interested if someone can just edit the registry to fake out the username property. --Brian > Can't all the properties of these classes be extremely easily overridden > using reflections? This would make even an amateur programmer using your > assemblies capable of fooling the security strategy very easily would it? Hi, WindowsIdentity.GetCurrent() inspects the Windows Token that is attached to the process - this contains the security relevant information about the user that has started the process. No registry involved... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > The application isn't a library, so I'm not too worried about someone > hacking it that way. (Side note, it wouldn't automatically fool the [quoted text clipped - 10 lines] >> programmer using your assemblies capable of fooling the security >> strategy very easily would it? That's perfect! If only everything was so easy... --Brian > Hi, > WindowsIdentity.GetCurrent() inspects the Windows Token that is attached [quoted text clipped - 21 lines] >>> programmer using your assemblies capable of fooling the security >>> strategy very easily would it? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.