#317 Dispose WindowsIdentity

Author: Tratcher

src/Microsoft.AspNetCore.Server.HttpSys/RequestProcessing/NativeRequestContext.cs

@@ -224,8 +224,14 @@ internal WindowsPrincipal GetUser()
                     && info->InfoType == HttpApi.HTTP_REQUEST_INFO_TYPE.HttpRequestInfoTypeAuth
                     && info->pInfo->AuthStatus == HttpApi.HTTP_AUTH_STATUS.HttpAuthStatusSuccess)
                 {
-                    return new WindowsPrincipal(new WindowsIdentity(info->pInfo->AccessToken,
-                        GetAuthTypeFromRequest(info->pInfo->AuthType).ToString()));
+                    // Duplicates AccessToken
+                    var identity = new WindowsIdentity(info->pInfo->AccessToken,
+                        GetAuthTypeFromRequest(info->pInfo->AuthType).ToString());
+
+                    // Close the original
+                    UnsafeNclNativeMethods.SafeNetHandles.CloseHandle(info->pInfo->AccessToken);
+
+                    return new WindowsPrincipal(identity);
                 }
             }
 

src/Microsoft.AspNetCore.Server.HttpSys/RequestProcessing/Request.cs

@@ -302,6 +302,7 @@ internal void Dispose()
             // TODO: Verbose log
             _isDisposed = true;
             _nativeRequestContext.Dispose();
+            (User?.Identity as WindowsIdentity)?.Dispose();
             if (_nativeStream != null)
             {
                 _nativeStream.Dispose();