Is Request.IsLocal secure or can it be spoofed?

Question

I have a webpage which checks for an encrypted cookie on page load to determine user identity. However, when I\'m testing the page locally on my development box, I don\'t h

Answer 1

I think your actual question is, how do you have development only functionality?

You could you use: Environment.UserInteractive
http://msdn.microsoft.com/en-us/library/system.environment.userinteractive.aspx

It returns false when running in IIS or a Windows Service, true when their is a user interface i.e. Visual Studio when your developing.

I think this is better than a DEBUG pre processor variable because the behaviour is more consistent, you could accidentally upload a DEBUG version of your dll to your live environment unless you have a very tight build/release process.

As a rule of thumb it's not a good idea to trust anything from the client.
I'd also be pragmatic, what are you protecting and how much effort would someone go to hack in?

The below SO post goes into some of the reasons why you shouldn't trust it:
Can I fool HttpRequest.Current.Request.IsLocal?

Reference
You can view the source at http://referencesource.microsoft.com

public bool IsLocal { 
   get {
      String remoteAddress = UserHostAddress; 

      // if unknown, assume not local
      if (String.IsNullOrEmpty(remoteAddress))
         return false; 

      // check if localhost 
      if (remoteAddress == "127.0.0.1" || remoteAddress == "::1") 
         return true;

      // compare with local address
      if (remoteAddress == LocalAddress)
         return true;

      return false;
   }