?
Solved

How to manage custom login and session on IIS?

Posted on 2001-09-06
6
Medium Priority
?
636 Views
Last Modified: 2008-10-13
Where can I find a good description and/or articles describing how to properly manage HTTP authentication (Status 401 and WWW-Authenticate lines in response header) *and* session cookie / URL mangling to track custom session state?

It's easy to find reference information, telling what property to set to send a '401' response, but where's a good article that will tell me if I should redirect to check for cookies first or request athentication first?
_ _ _

I'd like to use HTTP authentication where appropriate, and switch to HTML form-based authentication if the user cancels the pop-up.  (Most of our users will have NT logins, but some may use custom application-defined user names and passwords.)

I'd like to manage custom session information, stored in a database, based on a customized "xmlSession" component.  (Top management requires this to support server farms without "sticky" IP addresses.)
_ _ _

P.S.  I'm talking about Visual Basic Scripting (VBS) code on Active Server Pages (ASP), with support from Visual Basic COM components.
0
Comment
Question by:JeffGrigg
  • 3
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
meverest earned 240 total points
ID: 6469367
hmmm - you are talking about two very different auth methods.

may i ask, are you wanting to 'integrate' the two so that an either-or approach will work?

if that is what you want, then is is not a trivial task (if even possible!)

there is one way that i can think of that may be able to achieve something like that - being the 'OnAuthenticate()' method of the ISAPI.

may i suggest that you do some research on IIS implementation of ISAPI, and in particular, ISAPI filter as different from the extension type.

you can find some stuff about ISAPI in the MSDN library - go to:

http://search.microsoft.com/us/dev/default.asp

and enter a search for "ISAPI" will get you to some excellent references.

you can build ISAPI filters in a variety of languages, including C++, VB, and others.

good luck!


 
0
 

Author Comment

by:JeffGrigg
ID: 6470706
CHttpFilter::OnAuthentication is interesting
_ _ _

Yes, authentication and session tracking are two different things.  But I wish to do both.

For authentication:
We're integrating with a 3rd party "fat client" accounting package that can authenticate individual users by accepting NT authentication, or by using a separate user name and password.  So, I'd like to give the user the option of NT or application authentication.  I can do this by giving them an application login form when they cancel the NT authentication dialog box.  (If they give NT authentication, and I don't like it, I can also send them to the application login form.)

Session management:
One session for each browser session the user opens.  Should preserve session state across servers in a web farm.  Would be nice to recognize the user's right click and "Open in New Window", and other cases of multiple browser windows open from a single client box, but I'm not sure that's possible.  Should be based on session cookies, if possible, with fallback to adding query string parameters to URLs or hidden form fields when cookies are disabled.

These are two independent concepts.  But as a practical matter, they both have to be done "at the same time" -- on first and every page.  And good session management is necessary to support application authentication.
0
 
LVL 37

Expert Comment

by:meverest
ID: 6472575
OK,

how about this:

there is a cgi environment variable called AUTH_USER (or AUTHENTICATED_USER)- you can query this to see if it is a valid NT user who has entered creds at the NT (IIS) logon.

your application flow goes something like this:

1.  check authenticated_user (depends on what development environment you are using, for example, in ASP it is Request.ServerVariables("AUTH_USER")

2.  if auth, then set logged-in/username session variable/s

3.  if not auth, pass to html/asp login form.

4.  on submit login form, check creds and if ok, set the username/logged-in, proceed

cheers.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:JeffGrigg
ID: 6474530
In IIS, I can check Request.ServerVariables for "AUTH_USER" or "REMOTE_USER" for NT authentication.  But the information seems to only be present when I first deny access to the page by returning a status of 401 (authentication required).  Doing this (with "WWW-Authenticate" headers) causes IE to respond automatically with authentication information.  If I "401" again, it prompts the user.  If they cancel, IE displays the HTML I send along with the 401.

Detecting if the client has cookies enabled is generally done by setting a cookie and redirecting to a special page.  That page knows that if it sees the cookie, then the client has cookies enabled, otherwise the client must have disabled them.  I'm inclined to assign a session id, and redirect the user with the session id in both a cookie and in the URL.  Then I can identify what session has cookies disabled, and mangle their URLs from then on.

I can't redirect and request authentication at the same time, as they're both HTTP "error" status codes.  I can set cookies and request authentication together, but if the client has cookies disabled, I'm not sure that IIS guarantees that "REMOTE_USER" will be blank if I have not requested authentication.

So I have to come up with some sequence of redirecting, requesting authentication, and dealing with exceptions that gracefully handles all possible client browser and configuration scenarios.

I can't be the first person to ever build a web site using HTTP authentication with Microsoft ASP pages.  There must be articles about it somewhere.
0
 
LVL 37

Expert Comment

by:meverest
ID: 6475433
hello.

i am not aware of any articles, and 60 points is not enough to persuade me to spend more time expanding on all this (sorry)

sure, it is a most interesting topic, but i have not much time spare these days :-}

good luck!

cheers.
0
 
LVL 9

Expert Comment

by:fz2hqs
ID: 9740427
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept comment from meverest as answer

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

fz2hqs
EE Cleanup Volunteer

0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question