{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 爷、活的狠高调 的问题《The right use of <identity impersonate=“true”/>》','https://www.manongdao.com/q-617264.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
In my Website, Users who has logged in are able to change their profile pictures, and this process includes saving the uploaded image to a folder in the website's root directory.
When I tested it, I received an Error that I should grant access to this specific folder using permissions.
I do not have control over the Control Panel, the one who does said that he did grant the Images folder a READ and WRITE permissions to Others.
After Testing it again, once again the same error, so I edited web.config and included:
<identity impersonate="true"/>
And now everything seems to work perfectly. BUT, what did I just do here? Is there any security risk? Did I grant anonymous access to my website for everyone?
You are now running your website under the identity of the client user.
That would depend on the permissions that this account has on the server. Usually it is bad practice to run a website with accounts that have lots of privileges. Ideally you should configure your website to run under an account that you explicitly grant privileges to the required folders.
The problem with your approach is that if another user that doesn't have access to the specified folder visits your website, it won't work for him. If on the other hand this is expected behavior then you are probably fine by impersonating user identities.
No, this has nothing to do with authentication.
What you have done is given user rights to work under logged in user.
And there is a security risk for making impersonate true.
If you are on production, I would recommend you to read this article http://support.microsoft.com/default.aspx?scid=kb;en-us;329290
"Using impersonation in the web.config allows you to override whatever identity was configured for the Application Pool the app is running under - it's just a more fine grained method to control identity ( on the app level vs. the ApplicationPool level), so you could have two apps run on the same AppPool, but one of them uses impersonation to use another identity." courtesy: App pool identity versus impersonation identity?