Processing User Requests in Autocookie Mode

  • Article

When a user sends a request to access a site, AuthFilter ISAPI filter performs the following steps after being notified by Internet Information Services (IIS) that an SF_NOTIFY_PREPROC_HEADERS event has occurred:

  1. It checks for site configuration properties in the local site cache and, if not found, reads the site configuration properties from the Administration database using a SiteConfig object and stores them in the site cache.

  2. It checks whether the URL is correct, automatically correcting for case sensitivities.

  3. It checks for cookie support on the browser.

  4. If cookies are not supported, the user is redirected to the Active Server Pages (ASP) page specified in the No-Cookie form property of the CS Authentication resource. Usually this page notifies the user that cookies are required and that the user should resubmit the request once cookies are enabled. By default, an ASP page, named nocookie.asp, is supplied with Solution Sites for this purpose. This file is located in the AuthFiles folder in the Commerce Server installation directory.

  5. AuthFilter checks whether the request contains an MSCSProfile ticket.

    Ee784939.note(en-US,CS.20).gifNote

    • In Autocookie mode, anonymous access is allowed, unless you specify autocookie mode with Windows authentication. If you specify the latter , then AuthFilter checks the cookie for a valid MSCSAuth ticket.

  6. If an MSCSProfile ticket exists in the cookie, AuthFilter uses the anonymous user account to impersonate the user in IIS. By default, the anonymous user account is IUSR_<computername>, where <computername> is the name of the computer where IIS is installed.

  7. If the requested URL allows anonymous access rights, the URL is returned.

  8. If an MSCSProfile ticket does not exist in the request, the user is redirected to the ASP page specified in the AutoCookie Form property of the CS Authentication resource.

AutoCookie Page

The eight steps listed in Processing User Requests in Autocookie Mode are transparent to the site developer. The following steps take place on the Autocookie page, which must be supplied by the site developer:

  1. Persistent cookie support is checked, and if it is unavailable, the user is redirected to the no-cookie page.
  2. If persistent cookie support is enabled, a globally unique identifier (GUID) or another unique ID is created to identify the user.
  3. The unique ID is set into an MSCSProfile ticket for the user.
  4. At this point a profile can be created to store information about the anonymous user.
  5. The user is redirected to the requested URL.

A default page, Autocookie.asp, showing much of this functionality is supplied with the installed product and located in the \Microsoft Commerce Server\AuthFiles folder.

See Also

Enabling Autocookie Mode

Enabling Cookie Sharing across Domains

Enabling Cookie Sharing Across Applications

Copyright © 2005 Microsoft Corporation.
All rights reserved.