Geek Answers Handbook

Is Request.IsLocal safe or can it be faked?

I have a webpage that checks the encrypted cookie on the page load to determine the user ID. However, when I test the page locally in my development window, I do not have access to this cookie.

I used to use appsetting to tell the page whether it was in development mode or not, and when in dev-mode it loaded a fixed user id. Then I discovered Request.IsLocal

I can just check like this:

if(Request.IsLocal){ FormsAuthentication.SetAuthCookie("testUser", false); }else{ FormsAuthentication.SetAuthCookie(/*EncryptedCookieValue*/, false); }

It's safe? Is there a way that an attacker can spoof IsLocal?

+5
security
source share
4 answers

I think your real question is, how do you only have development functionality?

You can use: Environment.UserInteractive
http://msdn.microsoft.com/en-us/library/system.environment.userinteractive.aspx

It returns false when working in IIS or Windows service, true when it is a user interface, that is, Visual Studio during development.

I think this is better than the DEBUG pre-processor variable, because the behavior is more consistent, you can accidentally load the version of your DLBUG library into your live environment if you do not have a very complicated build / release process.

As a rule, you should not trust anything from the client.
I would also be pragmatic that you protect and how much effort someone will crack?

The following is a message about why you should not trust him:
Can I fool HttpRequest.Current.Request.IsLocal?

Link
You can view the source at http://referencesource.microsoft.com

 public bool IsLocal { get { String remoteAddress = UserHostAddress; // if unknown, assume not local if (String.IsNullOrEmpty(remoteAddress)) return false; // check if localhost if (remoteAddress == "127.0.0.1" || remoteAddress == "::1") return true; // compare with local address if (remoteAddress == LocalAddress) return true; return false; }
+6
source share

The code for IsLocal seems reliable - I see no flaws in my logic, so this should be good for your purposes.

However, you should be aware that if your application (or any other application running on the same server) makes any HTTP requests that the end user may affect, then you must add an additional layer of security, such as the secret / expying key or token to your request or you can protect the HTTP request when it is made so that it is not possible to request a local resource.

eg. Say your site has an endpoint, such as http://www.example.com/DeleteAllUsers , and in the code that processes this request, you check IsLocal to make sure that users can only be deleted if it’s local trusted request.

Now let's say that you have a function on your website Enter the web address to view the headers: and the user enters http://www.example.com/DeleteAllUsers in this text box, causing your application to request DeleteAllUsers and satisfy the check IsLocal security because the HTTP request is made from your application. Here's how to use IsLocal , and I understand that this is a far-fetched example to prove it, but many websites do similar things, such as capturing a preview image of a URL for display. If nothing on your server can be done to create a local HTTP request, you should be good to go.

+2
source share

Determining the remote IP address is complex and depends on the proper server configuration.

For example, a misconfigured server may use X-Forwarded-For to determine the IP address, but it may be selected by the client. But when using a reverse proxy that sets it to its own IP address, this is the correct way to determine the IP address.

Using an IP address from a socket can also be erroneous; consider a reverse proxy server running on a computer as a web server.

=> If possible, use a different authentication mechanism.

+1
source share

You should not put this code on a production server for the reasons stated in other answers.

However you could do

 #if DEBUG if (Request.IsLocal) { FormsAuthentication.SetAuthCookie("testUser", false); } else { #endif FormsAuthentication.SetAuthCookie(/*EncryptedCookieValue*/, false); #if DEBUG } #endif

In the development window, run the Debug assembly. Expand the Release assembly during production.

+1
source share

More articles:


All Articles