Re: Windows Impersonation in ASP.NET

Pierre posted an entry bout impersonation in ASP.NET szenarios. [Pierre]There are several scenario where you have to use the impersonation in ASP.NET. Consider, for example, you have to save and load files from a network share (file server). In that case, if the web site accept anonymous authentications, you have to impersonate a windows user who has enought privileges to access to that resource. You have three choices (I guess): Elevate the ASP.NET process identity - worse case since you could compromise the whole site security Impersonate a windows user during the single call ( Demand the task to a COM+ server application I think that the last is the best since we have more security and maintenance control[...] I agree with him that "Demand the task to a COM+ server application" is the best way of the three he listed. But for me impersonation it is still a don't. By the way i wanted to post this as a comment but "Comments on this post are closed". Yes this is some criticism on :-) ... So here my opinion as post in my blog: Avoid impersonation! If you need to "redirect a binary that is located on a different box than the webserver to the client" utilize another IIS on the 2nd machine or write a service that returns the binary data.  

Next to XSS is SSS - Same Site Scripting

Via Willem Odendaal I opend the following web site It holds an interesting collection of bookmarklets (Javascript commands that can be saved as bookmarks so they can be applied to every page that is opend in your browser). For example: "remove MaxLength" ... shows how important it is to use ASP.NET Validation Controls in your Web Applications.  

@BASTA! #1

Yesterday I arrived in Frankfurt with a delay of 2 hours (thanks to the Deutsche Bahn). Monday is Workshop day and so I just sat arround and did the same stuff that I would normally do in the office. I'm currently working on an ASP.NET project that uses v. 1.1 but will be converted to 2.0 with it's "Go-Live". So I need to make sure that I don't do things that will stand in the way in the next version. Here are a few questions I'm currently asking myself: Do i like the idea to save the properties of the Profile class in a ntext database column with the length of 6000? Will i accept that i can only user MemberShip with MediumTrust or higher? In germany we say: "Kommt Zeit, kommt Rat".

What ASP.NET Developers Should Always Do

[Dino Esposito] ...Introduced with ASP.NET 1.1, ViewStateUserKey is a string property on the Page class that only few developers admit to be familiar with. Why? Let's read what the documentation has to say about it.[...]void Page_Init (object sender, EventArgs e) { ViewStateUserKey = Session.SessionID; } There will be a few more that are familiar with that now :-)