Is it a good practice by putting princicple object in Context?

Is it possible to spoof the Context.Current.User?

//code in global.asax
Sub Application_OnAuthenticateRequest(ByVal Source As Object, ByVal Details As EventArgs)
'Authentication code goes here.
myPrinciple = ...
Context.Current.User = myPrinciple
end sub

This is often done in order to implement a custom role-based security system
in your web application, so it is definitely considered good practice when
that is needed.

What do you mean by spoof in this context?

Joe K.

"Frank J" <FrankJ (AT) discussions (DOT) microsoft.com> wrote

Yes, this is possible. If you don't trust the code that your web
application is running, then you could definitely have a security problem.

The .NET code access security (CAS) system has a permission that allows
control of the principal to controlled. You use the SecurityPermission with
the ControlPrincipal flag. ASP.NET does have support for running web
applications in partial trust, so it should be possible to restrict which
code gets to control the principal if you want. I'm a little fuzzy on the
details though.

Joe K.

"Frank J" <FrankJ (AT) discussions (DOT) microsoft.com> wrote

piece of code in any page can change the Context.User thus create security
problem.