views:

87

answers:

3

Can you please explain impersonation in the view of non-technical users.Then please explain it in .NET world.Impersonation is quite evil or good?.Do we apply it for FORMS AUTHENTICATION?

+2  A: 

Web applications run through a web server. That web server runs as a user with different permissions than yourself. Impersonation allows the application to run as you (or any other user with different priveledges on the cmoputer), as if you were logged in to the computer running it itself.

It actually makes things quite good. It allows you another way to grant/restrict access to protected files on the computer.

And yes, you can apply it using Forms Authentication (but you don't have to).

Justin Niessner
+2  A: 

You should check out Keith Brown's description of impersonation. It is really a Windows concept.

When you have an application using forms authentication (FA) the IIS process is running under the credentials of a specific user setup in IIS.

Example: If you have a user called Bob logged on using FA and and IIS setup to run as Network Service. Bob accesses a page which makes a web service call to another computer, the other computer will see the IIS user and not Bob. You can use impersonation to allow Bob to access the web service as a real Windows user and not Network Service.

Impersonation is not evil but it can be misused. You really need to understand the impact on your overall security model. It is also something that create a lot of work for developer to debug. This is especially the case if you do not have admin rights to the resource (eg. web service) you are trying to access.

BrianLy
A: 

Impersonation is a process used to determine what credentials your .net code runs under. Its not recommended for most types of code.

Forms Authentication is a way of storing a secure hash in a cookie so that you can validate access to your application by authenticated users.

James Westgate