http.context.user和thread.currentprincipal的区别以及何时使用它们？

当HttpApplication对象获取一个线程时，它首先要做的事情是将该线程的principal设置为HttpContext的principal。这样可以同步principals。
但是，如果您稍后去设置Thread的principal，HttpApplication在用户上下文中仍然有不同的principal设置。这就是为什么您应该始终通过HttpContext进行设置的原因。
（如果你用Reflector看一下，你会看到当你在HttpContext.User上进行“设置”时运行的复杂代码——它使用IIS进行了大量内部处理来正确地设置principal。）

在webforms应用程序下，我认为Thread.CurrentPrincipal将是运行工作进程（线程）的用户主体。 HttpContext.Current.User将是当前已登录的Web用户。
在表单/WPF应用程序中，这种情况是合理的，因为您感兴趣的是正在运行应用程序的用户。
您是想伪装工作进程还是已登录的用户？

这篇文章能解释清楚吗？以下是摘录内容：

http://www.hanselman.com/blog/CommentView.aspx?guid=22c42b73-4004-40ce-8af9-47f1b9b434ed

I have some code in an ASP.NET custom FormsAuthentication Login that looks something like this:

// This principal will flow throughout the request.
VoyagerPrincipal principal = new VoyagerPrincipal(yada, yada, yada);

// Attach the new principal object to the current HttpContext object
HttpContext.Current.User = principal;

It is called on the Global.asax's AuthenticateRequest so everything is all setup before the Page's events fire. It provides a custom IPrincipal that integrates our eFinance Server with ASP.NET. It's quite a lovely subsystem, IMHO.

Other operations count on being able to get this 'Call Context' IPrincipal from the current thread at any time. In another section of code someone was doing this in the MIDDLE of the HttpRequest (somewhere in the Page_Load) after having JUST called the routine above for the first time:

return Thread.CurrentPrincipal as VoyagerPrincipal;

In the instance where someone calls the first chunk of code then expects to be able to call the second chunk within the same HttpRequest, the Thread.CurrentPrincipal contains a GenericPrincipal populated much earlier by the HttpApplication. (Or a WindowsPrincipal, depending on your settings).