c# - WindowsIdentity.Impersonate in ASP.NET randomly "Invalid token for impersonation - it cannot be duplicated" -

-


c# - WindowsIdentity.Impersonate in ASP.NET randomly "Invalid token for impersonation - it cannot be duplicated" -

i have asp.net app requires users sign in domain accounts using basic authentication. user can create selection, press button.

at point after pressing button code: windowsidentity.impersonate(useridentity.token). useridentity of type windowsidentity, , set (windowsidentity)user.identity.

useridentity stored session variable, , think that's because, after button pressed, page containing code called via ajax.

when nail code, works 2/3 of time, 1/3 of time, exception: invalid token impersonation - cannot duplicated. think biggest head scratcher me why work not other times? on sessions, works several times before failing. on others, fails right away.

here's stack trace:

at system.security.principal.windowsidentity.createfromtoken(intptr usertoken)

at system.security.principal.windowsidentity..ctor(intptr usertoken, string authtype, int32 isauthenticated)

at system.security.principal.windowsidentity.impersonate(intptr usertoken)

at resource_booker.bll.reservationagent.submitreservationrequest(reservation reservation, patron patron) in c:\dev\roomres\resource booker\bll\reservationagent.cs:line 101

at resource_booker.reserve.reserve_click(object sender, eventargs e) in c:\dev\roomres\resource booker\reserve.aspx.cs:line 474

at system.eventhandler.invoke(object sender, eventargs e)

at system.web.ui.webcontrols.button.raisepostbackevent(string eventargument)

at system.web.ui.page.processrequestmain(boolean includestagesbeforeasyncpoint, boolean includestagesafterasyncpoint)

here's confounding factor: cannot reproduce problem on local windows 7 x64 workstation--albeit authentication passed implicitly here since using localhost--or on windows 2003 32-bit iis 6.0 environment. happens on pretty vanilla windows 2008 r2 environment. these environments domain members.

basically seeing not security problem logon session cached iis lifetime of tcp connection, http cutting tcp connection requiring re-authentication. happen seamlessly , invisibly (handled browser) invalidate token, logon session destroyed when tcp connection ends.

i.e. benefit of @usr, works because logon session same token same, token stored in session works because happens same actual token user.identity. it's not way of avoiding security check implementation detail of security check.

you shouldn't storing identity in session - unnecessary since authenticated connection.

just utilize (windowsidentity)user.identity every single time , problem should go away.

c# asp.net ajax basic-authentication windows-identity

Comments

Post a Comment

Popular posts from this blog

How do I check if an insert was successful with MySQLdb in Python? -

-
How do I check if an insert was successful with MySQLdb in Python? - i have code: cursor = conn.cursor() cursor.execute(("insert new_files (videos_id, filename, " "is_processing) values (%s,%s,1)"), (id, filename)) logging.warn("%d", cursor.rowcount) if (cursor.rowcount == 1): logging.info("inserted values %d, %s", id, filename) else: logging.warn("failed insert values %d, %s", id, filename) cursor.close() fun is, cursor.rowcount always one, though updated database create videos_id unique key. is, insert fails because in tests same videos_id going appear (and when check database, nil inserted). whatever reason, rowcount 1 - logging.warn have spits out rowcount of 1. so, question: can utilize rowcount work out if insert went fine? if so, (presumably) doing wrong? otherwise, how check if insert went fine? your code not commit after modifications (your modifications rolled back). should...
Read more

delphi - blogger via idHTTP : error 400 bad request -

-
delphi - blogger via idHTTP : error 400 bad request - i'm trying post blogger using idhttp component, however, i'm getting "http/1.0 400 bad request" error. procedure tform1.button1click(sender: tobject); var request,response,req : tstringlist; auth,blogid : string; begin blogid := '00000000000000000000000'; request := tstringlist.create; response := tstringlist.create; req := tstringlist.create; idhttp1.request.connection := 'keep-alive'; idhttp1.request.contenttype := 'application/x-www-form-urlencoded'; idssliohandlersocket1.ssloptions.method := sslvsslv23; request.clear(); request.values['accounttype'] := 'google'; request.values['email'] := 'xxx@gmail.com'; request.values['passwd'] := 'yyy'; request.values['service'] := 'blogger'; response.text :=idhttp1.post('https://www.google.com/accounts/clientlogin',request); auth := resp...
Read more

postgresql - ERROR: operator is not unique: unknown + unknown -

-
postgresql - ERROR: operator is not unique: unknown + unknown - i have postgis database , have compute new values rows in new column. these values should average of values of several columns. query: insert bdps (da_m) values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7')); in query bdps database, da_m new column , da_1 da_7 existing columns have double precision type. da_m created using alter table bdps add together column da_m double precision; i next error: error: operator not unique: unknown + unknown line 2: values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7... ^ hint: not take best candidate operator. might need add together explicit type casts. ********** error ********** error: operator not unique: unknown + unknown sql state: 42725 hint: not take best candidate operator. might need add togethe...
Read more