Solved

How to manage custom login and session on IIS?

Posted on 2001-09-06
6
618 Views
Last Modified: 2008-10-13
Where can I find a good description and/or articles describing how to properly manage HTTP authentication (Status 401 and WWW-Authenticate lines in response header) *and* session cookie / URL mangling to track custom session state?

It's easy to find reference information, telling what property to set to send a '401' response, but where's a good article that will tell me if I should redirect to check for cookies first or request athentication first?
_ _ _

I'd like to use HTTP authentication where appropriate, and switch to HTML form-based authentication if the user cancels the pop-up.  (Most of our users will have NT logins, but some may use custom application-defined user names and passwords.)

I'd like to manage custom session information, stored in a database, based on a customized "xmlSession" component.  (Top management requires this to support server farms without "sticky" IP addresses.)
_ _ _

P.S.  I'm talking about Visual Basic Scripting (VBS) code on Active Server Pages (ASP), with support from Visual Basic COM components.
0
Comment
Question by:JeffGrigg
  • 3
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
meverest earned 60 total points
Comment Utility
hmmm - you are talking about two very different auth methods.

may i ask, are you wanting to 'integrate' the two so that an either-or approach will work?

if that is what you want, then is is not a trivial task (if even possible!)

there is one way that i can think of that may be able to achieve something like that - being the 'OnAuthenticate()' method of the ISAPI.

may i suggest that you do some research on IIS implementation of ISAPI, and in particular, ISAPI filter as different from the extension type.

you can find some stuff about ISAPI in the MSDN library - go to:

http://search.microsoft.com/us/dev/default.asp

and enter a search for "ISAPI" will get you to some excellent references.

you can build ISAPI filters in a variety of languages, including C++, VB, and others.

good luck!


 
0
 

Author Comment

by:JeffGrigg
Comment Utility
CHttpFilter::OnAuthentication is interesting
_ _ _

Yes, authentication and session tracking are two different things.  But I wish to do both.

For authentication:
We're integrating with a 3rd party "fat client" accounting package that can authenticate individual users by accepting NT authentication, or by using a separate user name and password.  So, I'd like to give the user the option of NT or application authentication.  I can do this by giving them an application login form when they cancel the NT authentication dialog box.  (If they give NT authentication, and I don't like it, I can also send them to the application login form.)

Session management:
One session for each browser session the user opens.  Should preserve session state across servers in a web farm.  Would be nice to recognize the user's right click and "Open in New Window", and other cases of multiple browser windows open from a single client box, but I'm not sure that's possible.  Should be based on session cookies, if possible, with fallback to adding query string parameters to URLs or hidden form fields when cookies are disabled.

These are two independent concepts.  But as a practical matter, they both have to be done "at the same time" -- on first and every page.  And good session management is necessary to support application authentication.
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
OK,

how about this:

there is a cgi environment variable called AUTH_USER (or AUTHENTICATED_USER)- you can query this to see if it is a valid NT user who has entered creds at the NT (IIS) logon.

your application flow goes something like this:

1.  check authenticated_user (depends on what development environment you are using, for example, in ASP it is Request.ServerVariables("AUTH_USER")

2.  if auth, then set logged-in/username session variable/s

3.  if not auth, pass to html/asp login form.

4.  on submit login form, check creds and if ok, set the username/logged-in, proceed

cheers.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:JeffGrigg
Comment Utility
In IIS, I can check Request.ServerVariables for "AUTH_USER" or "REMOTE_USER" for NT authentication.  But the information seems to only be present when I first deny access to the page by returning a status of 401 (authentication required).  Doing this (with "WWW-Authenticate" headers) causes IE to respond automatically with authentication information.  If I "401" again, it prompts the user.  If they cancel, IE displays the HTML I send along with the 401.

Detecting if the client has cookies enabled is generally done by setting a cookie and redirecting to a special page.  That page knows that if it sees the cookie, then the client has cookies enabled, otherwise the client must have disabled them.  I'm inclined to assign a session id, and redirect the user with the session id in both a cookie and in the URL.  Then I can identify what session has cookies disabled, and mangle their URLs from then on.

I can't redirect and request authentication at the same time, as they're both HTTP "error" status codes.  I can set cookies and request authentication together, but if the client has cookies disabled, I'm not sure that IIS guarantees that "REMOTE_USER" will be blank if I have not requested authentication.

So I have to come up with some sequence of redirecting, requesting authentication, and dealing with exceptions that gracefully handles all possible client browser and configuration scenarios.

I can't be the first person to ever build a web site using HTTP authentication with Microsoft ASP pages.  There must be articles about it somewhere.
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
hello.

i am not aware of any articles, and 60 points is not enough to persuade me to spend more time expanding on all this (sorry)

sure, it is a most interesting topic, but i have not much time spare these days :-}

good luck!

cheers.
0
 
LVL 9

Expert Comment

by:fz2hqs
Comment Utility
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept comment from meverest as answer

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

fz2hqs
EE Cleanup Volunteer

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now