?
Solved

How to manage custom login and session on IIS?

Posted on 2001-09-06
6
Medium Priority
?
627 Views
Last Modified: 2008-10-13
Where can I find a good description and/or articles describing how to properly manage HTTP authentication (Status 401 and WWW-Authenticate lines in response header) *and* session cookie / URL mangling to track custom session state?

It's easy to find reference information, telling what property to set to send a '401' response, but where's a good article that will tell me if I should redirect to check for cookies first or request athentication first?
_ _ _

I'd like to use HTTP authentication where appropriate, and switch to HTML form-based authentication if the user cancels the pop-up.  (Most of our users will have NT logins, but some may use custom application-defined user names and passwords.)

I'd like to manage custom session information, stored in a database, based on a customized "xmlSession" component.  (Top management requires this to support server farms without "sticky" IP addresses.)
_ _ _

P.S.  I'm talking about Visual Basic Scripting (VBS) code on Active Server Pages (ASP), with support from Visual Basic COM components.
0
Comment
Question by:JeffGrigg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
meverest earned 240 total points
ID: 6469367
hmmm - you are talking about two very different auth methods.

may i ask, are you wanting to 'integrate' the two so that an either-or approach will work?

if that is what you want, then is is not a trivial task (if even possible!)

there is one way that i can think of that may be able to achieve something like that - being the 'OnAuthenticate()' method of the ISAPI.

may i suggest that you do some research on IIS implementation of ISAPI, and in particular, ISAPI filter as different from the extension type.

you can find some stuff about ISAPI in the MSDN library - go to:

http://search.microsoft.com/us/dev/default.asp

and enter a search for "ISAPI" will get you to some excellent references.

you can build ISAPI filters in a variety of languages, including C++, VB, and others.

good luck!


 
0
 

Author Comment

by:JeffGrigg
ID: 6470706
CHttpFilter::OnAuthentication is interesting
_ _ _

Yes, authentication and session tracking are two different things.  But I wish to do both.

For authentication:
We're integrating with a 3rd party "fat client" accounting package that can authenticate individual users by accepting NT authentication, or by using a separate user name and password.  So, I'd like to give the user the option of NT or application authentication.  I can do this by giving them an application login form when they cancel the NT authentication dialog box.  (If they give NT authentication, and I don't like it, I can also send them to the application login form.)

Session management:
One session for each browser session the user opens.  Should preserve session state across servers in a web farm.  Would be nice to recognize the user's right click and "Open in New Window", and other cases of multiple browser windows open from a single client box, but I'm not sure that's possible.  Should be based on session cookies, if possible, with fallback to adding query string parameters to URLs or hidden form fields when cookies are disabled.

These are two independent concepts.  But as a practical matter, they both have to be done "at the same time" -- on first and every page.  And good session management is necessary to support application authentication.
0
 
LVL 37

Expert Comment

by:meverest
ID: 6472575
OK,

how about this:

there is a cgi environment variable called AUTH_USER (or AUTHENTICATED_USER)- you can query this to see if it is a valid NT user who has entered creds at the NT (IIS) logon.

your application flow goes something like this:

1.  check authenticated_user (depends on what development environment you are using, for example, in ASP it is Request.ServerVariables("AUTH_USER")

2.  if auth, then set logged-in/username session variable/s

3.  if not auth, pass to html/asp login form.

4.  on submit login form, check creds and if ok, set the username/logged-in, proceed

cheers.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:JeffGrigg
ID: 6474530
In IIS, I can check Request.ServerVariables for "AUTH_USER" or "REMOTE_USER" for NT authentication.  But the information seems to only be present when I first deny access to the page by returning a status of 401 (authentication required).  Doing this (with "WWW-Authenticate" headers) causes IE to respond automatically with authentication information.  If I "401" again, it prompts the user.  If they cancel, IE displays the HTML I send along with the 401.

Detecting if the client has cookies enabled is generally done by setting a cookie and redirecting to a special page.  That page knows that if it sees the cookie, then the client has cookies enabled, otherwise the client must have disabled them.  I'm inclined to assign a session id, and redirect the user with the session id in both a cookie and in the URL.  Then I can identify what session has cookies disabled, and mangle their URLs from then on.

I can't redirect and request authentication at the same time, as they're both HTTP "error" status codes.  I can set cookies and request authentication together, but if the client has cookies disabled, I'm not sure that IIS guarantees that "REMOTE_USER" will be blank if I have not requested authentication.

So I have to come up with some sequence of redirecting, requesting authentication, and dealing with exceptions that gracefully handles all possible client browser and configuration scenarios.

I can't be the first person to ever build a web site using HTTP authentication with Microsoft ASP pages.  There must be articles about it somewhere.
0
 
LVL 37

Expert Comment

by:meverest
ID: 6475433
hello.

i am not aware of any articles, and 60 points is not enough to persuade me to spend more time expanding on all this (sorry)

sure, it is a most interesting topic, but i have not much time spare these days :-}

good luck!

cheers.
0
 
LVL 9

Expert Comment

by:fz2hqs
ID: 9740427
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept comment from meverest as answer

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

fz2hqs
EE Cleanup Volunteer

0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month10 days, 8 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question