I've got an interesting question regarding integrated windows authentication.
I have a web based application that uses the auth_user http header variable to perform some lookups in a database – lookups that return information that only that user should use. (the sql pseudo code goes something to the effect of select * from tblName where uniqueNTLogon = auth_user)
The question I have is regarding spoofing. I know HTTP headers are susceptible to having data in them spoofed – so the concern would be about someone passing in a different username in the auth_user variable, hence seeing data they shouldn’t.
HOWEVER, since we’re using Integrated Authentication – it’s my understanding that on each http requeset made of the server, the credentials of the requesting machine are re-authenticated based on some hashed data. This leads me to believe that if someone change the auth_user variable, they would fail to authenticate.
So which is the case? Is spoofing possible?
Notes 1) I’m not (unfortunately) using .net for this specific app (cold fusion).