Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Static CurrentPrincipal leads to shared authentication between threads #32

Open
FUB4R opened this issue Sep 28, 2015 · 4 comments
Open

Static CurrentPrincipal leads to shared authentication between threads #32

FUB4R opened this issue Sep 28, 2015 · 4 comments

Comments

@FUB4R
Copy link

FUB4R commented Sep 28, 2015

Just got bitten by this today : once a user was authenticated on my ASP.NET website, everyone shared his/her identity!

This was due to the currentPrincipal variable being shared between requests (even though there is the ThreadStatic annotation).

I fixed it by making the following change :

public static ICasPrincipal CurrentPrincipal
    {
        //get { return currentPrincipal; }
        get { return Thread.CurrentPrincipal as ICasPrincipal; }
    }
@mmoayyed
Copy link
Member

Would you be able to post a PR?

@FUB4R
Copy link
Author

FUB4R commented Sep 29, 2015

See PR #33

@phantomtypist phantomtypist mentioned this issue Aug 1, 2017
Open
@lanorkin
Copy link
Contributor

lanorkin commented Aug 2, 2017

I think that fix is valid as quick-fix, but in long run it's bad idea to rely on Thread.CurrentPrincipal, as it highly restricts design of library user.

I can easily imagine applications where CAS authentication will be just one of allowed authentications, which for example provide additional permissions / roles to user already authenticated with say usual login / password.

In these cases developers might want to use their own principal classes, and utilize Thread.CurrentPrincipal for own purposes, but they still will need access to result of CAS authentication,

I think that best option here is to use HttpContext.Current.Items to keep principal like this:

public static ICasPrincipal CurrentPrincipal
{
    get { return (ICasPrincipal)HttpContext.Current.Items["DotNetCasClient.CasAuthentication.CurrentPrincipal"]; }
    private set { HttpContext.Current.Items["DotNetCasClient.CasAuthentication.CurrentPrincipal"] = value; }
}

@FUB4R
Copy link
Author

FUB4R commented Aug 2, 2017

The problem with using anything from HttpContext is that you may not have access to this class in the places where you want to check the current user (for various reasons). I also vaguely remember experimenting with using the HttpContext before submitting this PR, and found it wasn't appropriate.

Regardless, this bug is a serious issue (which luckily got caught before it went into production). It's disappointing to see that, almost 2 years later, no fix has been merged.

I appreciate that there may be better ways to solve the issue. Whilst possibly imperfect, the code I suggested has been proven to work for over a year in a large business application with hundreds of simultaneous users. Any other deployments out there are basically subject to "random authentication", which is pretty catastrophic...

CarloM-71 pushed a commit to eligo-social/dotnet-cas-client that referenced this issue Mar 22, 2024
Fixed static currentPrincipal (issue apereo#32)
37e4146
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mmoayyed @lanorkin @FUB4R