Export (0) Print
Expand All

Configuring Login.asp to use a GUID

Commerce Server 2002

You may want to update your Login.asp page to add a custom property named guid, which holds a globally unique identifier (GUID) string on the ticket of a user to protect your site from Distributed Denial of Service (DDoS) attacks.

To place a GUID on the ticket of a user, you must update your login page, the Login.asp page for Solution Sites. Once a GUID is placed in the ticket, AuthFilter uses the GUID to lookup the password of the user in the AuthFilter password cache. The GUID is placed on the ticket of the user as a custom property by using the SetProperty method of the AuthManager object. Additionally, the property is appended to the query string for the redirected URL.

Once set, AuthFilter uses the GUID property to access the password cache instead of the user ID. When a user logs on with the same user ID but with a different password, AuthFilter identifies this as a different user and a new entry is made in the password cache instead of overwriting the original password. AuthFilter then follows the same steps as for a new user. For a code example showing this process, see Code to Set a Custom Property on a Ticket.

To view a sample Login.asp page, that has been updated to avoid this (DDoS) attack scenario, see Login.asp Code for the Supplier Solution Site.

In the example below, the code with the arrow next to it indicates the changes you need to make to the Login.asp file.

' after setting AuthTicket
     objAuth.SetAuthTicket strUserID, True, 90
  objAuth.SetProperty 2, "guid", strGUID   change this line

' at the redirect in both the FirstTime and WebFarm paths:
      strRetAsp = Request.Cookies("MSCSFirstRequestedURL")
      strRetAsp = strRetAsp + "proxyuser=" 
      strRetAsp = strRetAsp + "MyDomain\User1" 
      strRetAsp = strRetAsp + "&proxypwd=" 
      strRetAsp = strRetAsp + "password"
   strRetAsp = strRetAsp + "&guid="  change this line
   strRetAsp = strRetAsp + strGUID   change this line

The strGUID variable is a GUID/UniqueID generated, for example, by the GUIDGen object. Note that the GUID must be a unique identifier.

See Also

Login.asp Code for the Supplier Solution Site

BDSecurity Object

AuthManager Object

Code to Set a Custom Property on a Ticket

Code to Generate a GUID

Using Proxy Accounts in a Web Farm

Adding a New Property to a Profile Definition

Copyright © 2005 Microsoft Corporation.
All rights reserved.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft