aspnet2securityfaq0066 | Channel 9

Sign In

Subscribe Follow Us On Twitter

Return to
HomePage
ASPNET2SecurityFAQs

Question: How can I retain impersonation in the new thread created from ASP.NET application?

Answer:

In .NET Framework 1.1, impersonation tokens did not automatically flow to newly created threads. This situation could lead to security vulnerabilities because new threads assume the security context of the process. In .NET Framework 2.0, by default the impersonation token still does not flow across threads, but for ASP.NET applications you can change this default behavior with appropriate configuration of the ASPNET.config file in the %Windir%Microsoft.NET\Framework\{Version Number\ directory.
If you need to flow the impersonation token to new threads, set the enabled attribute to true on the alwaysFlowImpersonationPolicy element and enabled attribute to false on legacyImpersonationPolicy element.in the ASPNET.config file, as shown in the following example.

		 <configuration>
		  <runtime>
		    [<alwaysFlowImpersonationPolicy] enabled="true"/>
		    [<legacyImpersonationPolicy] enabled="false"/>
		  </runtime>
		 </configuration>

If you need to prevent impersonation tokens from being passed to new threads programmatically, you can use the ExecutionContext.SuppressFlow method.

Return to
HomePage
ASPNET2SecurityFAQs

- History
  
  Modified By: System
  
  Apr 30th, 2008 @ 11:11 AM
  
  Views (259)
- Share
  - Del.icio.us
  - Digg
  - FriendFeed
  - Facebook
Markup Quick Guide

*bold*

_italics_

+underline+

! Heading 1

!! Heading 2

* Bullet List

** Bullet List 2

# Number List

## Number List 2

[another wiki page]

[url:http://www.example.com]

[image:example.gif]

{"Do not apply formatting"}

Silverlight: Silverlight Test Driven Development – Part II
WindowsClient: Battery notification messages in Windows 7
Silverlight: The Weekly Source Code 49 - SmallBasic is Fun, Simple, Powerful Programming for Kids and Adults
WindowsClient: 24 Hour 50% off Deal on my Upcoming Manning Book: Silverlight in Action, Revised Edition
Channel 9: C9 Conversations: Yuri Gurevich - Abstraction, Algorithms and Mathematical Logic
TechNet Edge: February 2010 Security Bulletin Overview
Channel 9: PhizzPop Develop & Design Challenge
Silverlight: Quick FAQ on Visual Studio 2010 RC release (February 2010) and Silverlight development
Channel 10: 5 Bing Map Apps for the Winter Olympics
TechNet Edge: TechNet Radio: Visio 2010: Visio Services
WindowsClient: Tip: New .NET 4 String Function to Check for Empty Strings
WindowsClient: Microsoft announces commercial availability of Surface in Australia
WindowsClient: SmallestDotNet Update - Now with .NET 4 support and an includable JavaScript API
Silverlight: Answering A C# Question
Channel 9: Jason Zander: Visual Studio 2010 Release Candidate Released
Channel 9: Help Desk Episode 1 with Chris Pirillo (Pilot) - Show Notes
Mix Online: Design for tables
Channel 10: Bing and Winter Olympics
Channel 10: Use Your Zune Remote to Control Windows Media Center
WindowsClient: Query Continuations for nested collections in Data Services
close

Microsoft Communities