I am writing an ASP.Net MVC application that uses NTLM authentication, so users don’t need to register with the site. If I have disables anonymous access, can I use User.Identity.Name as the ownership key in the database. What I’d like to do is to be able to issue a search such as
from station in db.stations where station.user == username select *;
Is this enough to know reliably who the user is, or is there someway a nasty user could spoof the name string and gain access to data that they shouldn’t?
The name is filled in from the session so the attacker would have to spoof the session cookie to hijack the user’s session and get access. The ASP.NET session cookie is encrypted to help prevent this, but you should definitely have the session expire so that a determined attacker can’t spend an unlimited time trying to break the encryption. Setting your cookies to httpOnly can also help prevent a malicious script in the browser from accessing the cookie.
Here’s a reference for best practices for securing an ASP.NET 2.0 web site. Much of it is still applicable, but may need to be translated to MVC.