Why does InternetConnect function need a password and a login ?

Hi there,

I've been told an https request could only be used for crypting data transmitted, not for authentification.
In this cas, why does InternetConnect function need a login and a password ?

Please have a look at my code snippet and also at question
http://www.experts-exchange.com/Microsoft/Development/.NET/Visual_Studio_.NET_2005/Q_23122733.html

Thanks in advance
#define DIRECTORY_AND_SYNC_SCRIPT_NAME L"MyDir/MyScript.cgi"
 
int MakePostHttpsRequest(LPWSTR wLogin, LPWSTR wPassword, LPWSTR wBoxIP, int iPort, char * sInput)
{
	HINTERNET hOpen, hConnect, hReq;
 
	hOpen = InternetOpen(L"anonymous", INTERNET_OPEN_TYPE_PRECONFIG, NULL, L"", 0);
	if(!hOpen)
// Doesn't reach this line
		return 1;
 
	hConnect = InternetConnect(hOpen, wBoxIP, iPort, wLogin, wPassword, INTERNET_SERVICE_HTTP, 0, 0);
	if(!hConnect)
	{
// Doesn't reach this line
		InternetCloseHandle(hOpen);
		return 1;
	}
 
	hReq = HttpOpenRequest(hConnect, L"POST", DIRECTORY_AND_SYNC_SCRIPT_NAME, L"HTTP/1.0", NULL, NULL, INTERNET_FLAG_RELOAD
																			| INTERNET_FLAG_KEEP_CONNECTION
																			| INTERNET_FLAG_SECURE
																			| INTERNET_FLAG_IGNORE_CERT_CN_INVALID
																			| INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, 0);
	if(!hReq)
	{
// Doesn't reach this line
		InternetCloseHandle(hOpen);
		InternetCloseHandle(hConnect);
		return 1;
	}
 
	LPCWSTR wHeader = L"Content-Type: application/x-www-form-urlencoded";
 
	char * sInputEncoded = MyString::Encode(sInput);
 
	int iRetVal;
	iRetVal = HttpSendRequest(hReq, wHeader, (DWORD) _tcslen(wHeader), sInputEncoded, (DWORD) strlen(sInputEncoded));
	DWORD uErrorCode = GetLastError();
	if(iRetVal != 1)
	{
		// there has been a problem
		if(uErrorCode == ERROR_INTERNET_INVALID_CA)
		{
// Reach this line
 
			// Pb of rights
			iRetVal = InternetErrorDlg(GetDesktopWindow(),
										hReq,
										ERROR_INTERNET_INVALID_CA,
										FLAGS_ERROR_UI_FILTER_FOR_ERRORS
										| FLAGS_ERROR_UI_FLAGS_GENERATE_DATA
										| FLAGS_ERROR_UI_FLAGS_CHANGE_OPTIONS,
										0);
// I click "Yes" when asked to accept the certificate
 
			if(iRetVal == ERROR_SUCCESS)
			{
// Reach this line
				// The certificate is accepted
				HttpSendRequest(hReq, wHeader, (DWORD) _tcslen(wHeader), sInputEncoded, (DWORD) strlen(sInputEncoded));
				free(sInputEncoded);
			}
			else
			{
				// The certificate is refused : Leave !
				InternetCloseHandle(hReq);
				InternetCloseHandle(hOpen);
				InternetCloseHandle(hConnect);
 
				free(sInputEncoded);
				
				return 1;
			}
		}
		else // Another problem : Leave !
		{
			InternetCloseHandle(hReq);
			InternetCloseHandle(hOpen);
			InternetCloseHandle(hConnect);
 
			free(sInputEncoded);
 
			return 1;
		}
	}
 
// I can see the script has been executed on the server with the data transmitted
 
	InternetCloseHandle(hReq);
	InternetCloseHandle(hOpen);
	InternetCloseHandle(hConnect);
 
	free(sInputEncoded);
 
	return 0;
}

Open in new window

B_B_BorisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joel CoehoornDirector of Information TechnologyCommented:
https protects against 'man in the middle' attacks.  If anyone is tapping the line somewhere between your web site and the end user all they'll see is encrypted data.  Other than that it's supposed to work like normal http, and the connection is setup automatically.

Now for the authentication tokens used with InternetConnect().  It might be possible to use them like you want, but there are some things you'll want to consider first.  One is that there's nothing special about https in this regard.  The tokens are available for http too.  The other is that authentication happens at the web server level before requests are approved.  This has several drawbacks:
1) You can't include the login in the web page since users must authenticate *before* any page is sent to the browser.
2) tokens are often stored in plain text config files.
3) It only supports authentication.  There's no built-in mechanism to do anything beyond that, like use the user name as a key into a database that knows things like your name, e-mail address, site preferences, shipping details, saved shopping carts, or anything else.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.