Improve company productivity with a Business Account.Sign Up

x
?
Solved

How to manage custom login and session on IIS?

Posted on 2001-09-06
6
Medium Priority
?
637 Views
Last Modified: 2008-10-13
Where can I find a good description and/or articles describing how to properly manage HTTP authentication (Status 401 and WWW-Authenticate lines in response header) *and* session cookie / URL mangling to track custom session state?

It's easy to find reference information, telling what property to set to send a '401' response, but where's a good article that will tell me if I should redirect to check for cookies first or request athentication first?
_ _ _

I'd like to use HTTP authentication where appropriate, and switch to HTML form-based authentication if the user cancels the pop-up.  (Most of our users will have NT logins, but some may use custom application-defined user names and passwords.)

I'd like to manage custom session information, stored in a database, based on a customized "xmlSession" component.  (Top management requires this to support server farms without "sticky" IP addresses.)
_ _ _

P.S.  I'm talking about Visual Basic Scripting (VBS) code on Active Server Pages (ASP), with support from Visual Basic COM components.
0
Comment
Question by:JeffGrigg
  • 3
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
meverest earned 240 total points
ID: 6469367
hmmm - you are talking about two very different auth methods.

may i ask, are you wanting to 'integrate' the two so that an either-or approach will work?

if that is what you want, then is is not a trivial task (if even possible!)

there is one way that i can think of that may be able to achieve something like that - being the 'OnAuthenticate()' method of the ISAPI.

may i suggest that you do some research on IIS implementation of ISAPI, and in particular, ISAPI filter as different from the extension type.

you can find some stuff about ISAPI in the MSDN library - go to:

http://search.microsoft.com/us/dev/default.asp

and enter a search for "ISAPI" will get you to some excellent references.

you can build ISAPI filters in a variety of languages, including C++, VB, and others.

good luck!


 
0
 

Author Comment

by:JeffGrigg
ID: 6470706
CHttpFilter::OnAuthentication is interesting
_ _ _

Yes, authentication and session tracking are two different things.  But I wish to do both.

For authentication:
We're integrating with a 3rd party "fat client" accounting package that can authenticate individual users by accepting NT authentication, or by using a separate user name and password.  So, I'd like to give the user the option of NT or application authentication.  I can do this by giving them an application login form when they cancel the NT authentication dialog box.  (If they give NT authentication, and I don't like it, I can also send them to the application login form.)

Session management:
One session for each browser session the user opens.  Should preserve session state across servers in a web farm.  Would be nice to recognize the user's right click and "Open in New Window", and other cases of multiple browser windows open from a single client box, but I'm not sure that's possible.  Should be based on session cookies, if possible, with fallback to adding query string parameters to URLs or hidden form fields when cookies are disabled.

These are two independent concepts.  But as a practical matter, they both have to be done "at the same time" -- on first and every page.  And good session management is necessary to support application authentication.
0
 
LVL 37

Expert Comment

by:meverest
ID: 6472575
OK,

how about this:

there is a cgi environment variable called AUTH_USER (or AUTHENTICATED_USER)- you can query this to see if it is a valid NT user who has entered creds at the NT (IIS) logon.

your application flow goes something like this:

1.  check authenticated_user (depends on what development environment you are using, for example, in ASP it is Request.ServerVariables("AUTH_USER")

2.  if auth, then set logged-in/username session variable/s

3.  if not auth, pass to html/asp login form.

4.  on submit login form, check creds and if ok, set the username/logged-in, proceed

cheers.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:JeffGrigg
ID: 6474530
In IIS, I can check Request.ServerVariables for "AUTH_USER" or "REMOTE_USER" for NT authentication.  But the information seems to only be present when I first deny access to the page by returning a status of 401 (authentication required).  Doing this (with "WWW-Authenticate" headers) causes IE to respond automatically with authentication information.  If I "401" again, it prompts the user.  If they cancel, IE displays the HTML I send along with the 401.

Detecting if the client has cookies enabled is generally done by setting a cookie and redirecting to a special page.  That page knows that if it sees the cookie, then the client has cookies enabled, otherwise the client must have disabled them.  I'm inclined to assign a session id, and redirect the user with the session id in both a cookie and in the URL.  Then I can identify what session has cookies disabled, and mangle their URLs from then on.

I can't redirect and request authentication at the same time, as they're both HTTP "error" status codes.  I can set cookies and request authentication together, but if the client has cookies disabled, I'm not sure that IIS guarantees that "REMOTE_USER" will be blank if I have not requested authentication.

So I have to come up with some sequence of redirecting, requesting authentication, and dealing with exceptions that gracefully handles all possible client browser and configuration scenarios.

I can't be the first person to ever build a web site using HTTP authentication with Microsoft ASP pages.  There must be articles about it somewhere.
0
 
LVL 37

Expert Comment

by:meverest
ID: 6475433
hello.

i am not aware of any articles, and 60 points is not enough to persuade me to spend more time expanding on all this (sorry)

sure, it is a most interesting topic, but i have not much time spare these days :-}

good luck!

cheers.
0
 
LVL 9

Expert Comment

by:fz2hqs
ID: 9740427
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept comment from meverest as answer

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

fz2hqs
EE Cleanup Volunteer

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…
From store locators to asset tracking and route optimization, learn how leading companies are using Google Maps APIs throughout the customer journey to increase checkout conversions, boost user engagement, and optimize order fulfillment. Powered …

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question