Spoofing LOGON_USER & AUTH_USER
Posted on 2008-10-31
I I have a web application with IIS set to anonymous access and Integrated Windows Authentication switched on - this is an intranet app.
Once people have hit the site I want to be able to give them customised content according to who they are using possibly Request.ServerVariables("LOGON_USER") And Request.ServerVariables("AUTH_USER"). I plan to use these to identify who they are and then deliver customised content.
I am worried about these being spoofed though eg:
telnet localhost 80
GET /default.asp HTTP/1.1
Obviously the above telnet example won't work as it won't get authenticated but you see my general concern.
Any thoughts or comments on this?