How does HttpContext.Current.User.Identity.Name know which usernames exist?

Question

This is not necessarily an issue, I am just curious as to how it works. I have a method:

public static bool UserIsAuthenticated()
{
    bool isAuthed = false;
    try
    {
        if (HttpContext.Current.User.Identity.Name != null)
        {
            if (HttpContext.Current.User.Identity.Name.Length != 0)
            {
                FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
                FormsAuthenticationTicket ticket = id.Ticket;
                isAuthed = true;
                string MyUserData = ticket.UserData;
            }
        }
    }
    catch { } // not authed
    return isAuthed;
}

The HttpContext.Current.User.Identity.Name returns null if the user does not exist, but how does it know which usernames exist or do not exist?

score 57 · Answer 1 · answered Jan 20 '15 at 09:31

57

For windows authentication

select your project.

Press F4

Disable "Anonymous Authentication" and enable "Windows Authentication"

enter image description here

answered Jan 20 '15 at 09:31

Anwar Ul-Haq

1,786
1
13
26

3

This does not seem to address the question "how does HttpContext know which usernames exist?" – TylerH Feb 20 '20 at 16:25

score 30 · Accepted Answer · edited Feb 01 '18 at 21:41

The HttpContext.Current.User.Identity.Name returns null

This depends on whether the authentication mode is set to Forms or Windows in your web.config file.

For example, if I write the authentication like this:

<authentication mode="Forms"/>

Then because the authentication mode="Forms", I will get null for the username. But if I change the authentication mode to Windows like this:

<authentication mode="Windows"/>

I can run the application again and check for the username, and I will get the username successfully.

For more information, see System.Web.HttpContext.Current.User.Identity.Name Vs System.Environment.UserName in ASP.NET.

Thanks for the answer but my method in question works my question is how? I dont understand how HttpContext.Current.User.Identity.Name is set? — Srb1313711, Jan 14 '14 at 15:59

score 6 · Answer 3 · answered Mar 12 '18 at 18:43

How does [HttpContext.Current.User] know which usernames exist or do not exist?

Let's look at an example of one way this works. Suppose you are using Forms Authentication and the "OnAuthenticate" event fires. This event occurs "when the application authenticates the current request" (Reference Source).

Up until this point, the application has no idea who you are.

Since you are using Forms Authentication, it first checks by parsing the authentication cookie (usually .ASPAUTH) via a call to ExtractTicketFromCookie. This calls FormsAuthentication.Decrypt (This method is public; you can call this yourself!). Next, it calls Context.SetPrincipalNoDemand, turning the cookie into a user and stuffing it into Context.User (Reference Source).

score 5 · Answer 4 · edited Feb 02 '18 at 14:37

Assume a network environment where a "user" (aka you) has to logon. Usually this is a User ID (UID) and a Password (PW). OK then, what is your Identity, or who are you? You are the UID, and this gleans that "name" from your logon session. Simple! It should also work in an internet application that needs you to login, like Best Buy and others.

This will pull my UID, or "Name", from my session when I open the default page of the web application I need to use. Now, in my instance, I am part of a Domain, so I can use initial Windows authentication, and it needs to verify who I am, thus the 2nd part of the code. As for Forms Authentication, it would rely on the ticket (aka cookie most likely) sent to your workstation/computer. And the code would look like:

string id = HttpContext.Current.User.Identity.Name;

// Strip the domain off of the result
id = id.Substring(id.LastIndexOf(@"\", StringComparison.InvariantCulture) + 1);

Now it has my business name (aka UID) and can display it on the screen.

Marconi Mac · Answer 5 · 2015-12-29T10:31:50.770

3

Also check that

<modules>
      <remove name="FormsAuthentication"/>
</modules>

If you found anything like this just remove:

<remove name="FormsAuthentication"/>

Line from web.config and here you go it will work fine I have tested it.

edited Dec 29 '15 at 10:31

answered Dec 29 '15 at 10:24

Marconi Mac

39
4

1

This does not seem to address the question "how does HttpContext know which usernames exist?". – TylerH Feb 20 '20 at 16:25

GGForce · Answer 6 · 2021-08-04T11:05:05.733

Actually it doesn't! It just holds the username of the user that is currently logged in. After login successful authentication, the username is automatically stored by login authentication system to "HttpContext.Current.User.Identity.Name" property.

To check if the current user is authenticated, you MUST (for security reasons) check "HttpContext.Current.User.Identity.IsAuthenticated" boolean property that automatically holds this information instead of writing your own code.

If the current user is NOT authenticated, "HttpContext.Current.User.Identity.Name" property will be null or an empty string or "can take other values" (https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.iidentity.name?view=netframework-4.8) obviously depending on the authentication mode used.

See: https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.iidentity?view=netframework-4.8

How does HttpContext.Current.User.Identity.Name know which usernames exist?

6 Answers6

Linked