我应该依靠User.Identity值吗?
[英]Should I rely on User.Identity value?
问题描述
I am interested in security connected with ASP.NET applications. 
我对与ASP.NET应用程序连接的安全性感兴趣。 When I am developing my websites I extensively use User.Identity.Name value to identify user. 在开发网站时,我广泛使用User.Identity.Name值来标识用户。 I am wondering if there is a possibility to modify request so that client could change this value and become other user. 我想知道是否有可能修改请求,以便客户端可以更改此值并成为其他用户。 If so how to identify users then and how to distinguish superuser safely? 如果是这样,那么如何识别用户,以及如何安全区分超级用户?
1 个解决方案
解决方案1
1 2016-01-05 09:20:45
Yes, you can rely on this value. 是的,您可以依靠此值。 The whole security of ASP.NET relies on it. ASP.NET的整个安全性都依赖于它。 It is stored in an encrypted cookie that can only be decrypted by the application. 它存储在只能由应用程序解密的加密cookie中。 If a malicious user tries to substitute the value of this cookie with another username he will not be able to encrypt the cookie because he doesn't have the machine keys. 如果恶意用户试图用另一个用户名替换此cookie的值,则他将无法加密cookie,因为他没有计算机密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.