Re: Windows Impersonation in ASP.NET

Pierre posted an entry bout impersonation in ASP.NET szenarios. [Pierre]There are several scenario where you have to use the impersonation in ASP.NET. Consider, for example, you have to save and load files from a network share (file server). In that case, if the web site accept anonymous authentications, you have to impersonate a windows user who has enought privileges to access to that resource. You have three choices (I guess): Elevate the ASP.NET process identity - worse case since you could compromise the whole site security Impersonate a windows user during the single call (http://blogs.msdn.com/shawnfa/archive/2005/03/22/400749.aspx) Demand the task to a COM+ server application I think that the last is the best since we have more security and maintenance control[...] I agree with him that "Demand the task to a COM+ server application" is the best way of the three he listed. But for me impersonation it is still a don't. By the way i wanted to post this as a comment but "Comments on this post are closed". Yes this is some criticism on weblogs.asp.net :-) ... So here my opinion as post in my blog: Avoid impersonation! If you need to "redirect a binary that is located on a different box than the webserver to the client" utilize another IIS on the 2nd machine or write a service that returns the binary data.  

Next to XSS is SSS - Same Site Scripting

Via Willem Odendaal I opend the following web site http://www.squarefree.com/bookmarklets/forms.html#frmget. It holds an interesting collection of bookmarklets (Javascript commands that can be saved as bookmarks so they can be applied to every page that is opend in your browser). For example: "remove MaxLength" ... shows how important it is to use ASP.NET Validation Controls in your Web Applications.  

@BASTA! #1

Yesterday I arrived in Frankfurt with a delay of 2 hours (thanks to the Deutsche Bahn). Monday is Workshop day and so I just sat arround and did the same stuff that I would normally do in the office. I'm currently working on an ASP.NET project that uses v. 1.1 but will be converted to 2.0 with it's "Go-Live". So I need to make sure that I don't do things that will stand in the way in the next version. Here are a few questions I'm currently asking myself: Do i like the idea to save the properties of the Profile class in a ntext database column with the length of 6000? Will i accept that i can only user MemberShip with MediumTrust or higher? In germany we say: "Kommt Zeit, kommt Rat".

What ASP.NET Developers Should Always Do

[Dino Esposito] ...Introduced with ASP.NET 1.1, ViewStateUserKey is a string property on the Page class that only few developers admit to be familiar with. Why? Let's read what the documentation has to say about it.[...]void Page_Init (object sender, EventArgs e) { ViewStateUserKey = Session.SessionID; } There will be a few more that are familiar with that now :-)