[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How to manage custom login and session on IIS?

Posted on 2001-09-06
6
Medium Priority
?
631 Views
Last Modified: 2008-10-13
Where can I find a good description and/or articles describing how to properly manage HTTP authentication (Status 401 and WWW-Authenticate lines in response header) *and* session cookie / URL mangling to track custom session state?

It's easy to find reference information, telling what property to set to send a '401' response, but where's a good article that will tell me if I should redirect to check for cookies first or request athentication first?
_ _ _

I'd like to use HTTP authentication where appropriate, and switch to HTML form-based authentication if the user cancels the pop-up.  (Most of our users will have NT logins, but some may use custom application-defined user names and passwords.)

I'd like to manage custom session information, stored in a database, based on a customized "xmlSession" component.  (Top management requires this to support server farms without "sticky" IP addresses.)
_ _ _

P.S.  I'm talking about Visual Basic Scripting (VBS) code on Active Server Pages (ASP), with support from Visual Basic COM components.
0
Comment
Question by:JeffGrigg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
meverest earned 240 total points
ID: 6469367
hmmm - you are talking about two very different auth methods.

may i ask, are you wanting to 'integrate' the two so that an either-or approach will work?

if that is what you want, then is is not a trivial task (if even possible!)

there is one way that i can think of that may be able to achieve something like that - being the 'OnAuthenticate()' method of the ISAPI.

may i suggest that you do some research on IIS implementation of ISAPI, and in particular, ISAPI filter as different from the extension type.

you can find some stuff about ISAPI in the MSDN library - go to:

http://search.microsoft.com/us/dev/default.asp

and enter a search for "ISAPI" will get you to some excellent references.

you can build ISAPI filters in a variety of languages, including C++, VB, and others.

good luck!


 
0
 

Author Comment

by:JeffGrigg
ID: 6470706
CHttpFilter::OnAuthentication is interesting
_ _ _

Yes, authentication and session tracking are two different things.  But I wish to do both.

For authentication:
We're integrating with a 3rd party "fat client" accounting package that can authenticate individual users by accepting NT authentication, or by using a separate user name and password.  So, I'd like to give the user the option of NT or application authentication.  I can do this by giving them an application login form when they cancel the NT authentication dialog box.  (If they give NT authentication, and I don't like it, I can also send them to the application login form.)

Session management:
One session for each browser session the user opens.  Should preserve session state across servers in a web farm.  Would be nice to recognize the user's right click and "Open in New Window", and other cases of multiple browser windows open from a single client box, but I'm not sure that's possible.  Should be based on session cookies, if possible, with fallback to adding query string parameters to URLs or hidden form fields when cookies are disabled.

These are two independent concepts.  But as a practical matter, they both have to be done "at the same time" -- on first and every page.  And good session management is necessary to support application authentication.
0
 
LVL 37

Expert Comment

by:meverest
ID: 6472575
OK,

how about this:

there is a cgi environment variable called AUTH_USER (or AUTHENTICATED_USER)- you can query this to see if it is a valid NT user who has entered creds at the NT (IIS) logon.

your application flow goes something like this:

1.  check authenticated_user (depends on what development environment you are using, for example, in ASP it is Request.ServerVariables("AUTH_USER")

2.  if auth, then set logged-in/username session variable/s

3.  if not auth, pass to html/asp login form.

4.  on submit login form, check creds and if ok, set the username/logged-in, proceed

cheers.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:JeffGrigg
ID: 6474530
In IIS, I can check Request.ServerVariables for "AUTH_USER" or "REMOTE_USER" for NT authentication.  But the information seems to only be present when I first deny access to the page by returning a status of 401 (authentication required).  Doing this (with "WWW-Authenticate" headers) causes IE to respond automatically with authentication information.  If I "401" again, it prompts the user.  If they cancel, IE displays the HTML I send along with the 401.

Detecting if the client has cookies enabled is generally done by setting a cookie and redirecting to a special page.  That page knows that if it sees the cookie, then the client has cookies enabled, otherwise the client must have disabled them.  I'm inclined to assign a session id, and redirect the user with the session id in both a cookie and in the URL.  Then I can identify what session has cookies disabled, and mangle their URLs from then on.

I can't redirect and request authentication at the same time, as they're both HTTP "error" status codes.  I can set cookies and request authentication together, but if the client has cookies disabled, I'm not sure that IIS guarantees that "REMOTE_USER" will be blank if I have not requested authentication.

So I have to come up with some sequence of redirecting, requesting authentication, and dealing with exceptions that gracefully handles all possible client browser and configuration scenarios.

I can't be the first person to ever build a web site using HTTP authentication with Microsoft ASP pages.  There must be articles about it somewhere.
0
 
LVL 37

Expert Comment

by:meverest
ID: 6475433
hello.

i am not aware of any articles, and 60 points is not enough to persuade me to spend more time expanding on all this (sorry)

sure, it is a most interesting topic, but i have not much time spare these days :-}

good luck!

cheers.
0
 
LVL 9

Expert Comment

by:fz2hqs
ID: 9740427
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept comment from meverest as answer

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

fz2hqs
EE Cleanup Volunteer

0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question