What Is AuthFilter?

Commerce Server 2009 provides AuthFilter, which is an ISAPI filter. AuthFilter alters the default behavior of Microsoft Internet Information Services (IIS) and affects how HTTP requests and responses are handled. To setup AuthFilter for the first time, see How to Restore AuthFilter Functioning.

By default, when you use AuthFilter, Commerce Server Core Systems installs AuthFilter at the IIS site level with low priority. This means that if other ISAPI filters are running in IIS, they will process requests before AuthFilter does. If you have ISAPI filters from other applications or custom ISAPI filters on your Web server, you can configure these ISAPI filters at a higher priority if you want those filters to process requests before AuthFilter does.

When AuthFilter is notified of an incoming request, it automatically does the following:

• Detects whether the requested URL is correct. AuthFilter automatically corrects for the case sensitivity of the IIS virtual directory roots.

  Warning

  AuthFilter issues a redirect to correct the case in the requested URL. Any Post data in the requested URL is lost.

• Checks whether the browser supports cookies. If the user's browser does not support cookies, AuthFilter redirects the user to a no-cookie page. AuthFilter requires that browsers support cookies.

  Warning

  AuthFilter issues a redirect when it verifies whether the browser supports cookies. Commerce Server Core Systems does this verification only on the first request during the session. Any Post data in the requested URL is lost.

• Checks that the user has a valid ticket. For Windows and custom authentication modes, if the request does not contain a valid MSCSAuth ticket, the request is redirected to the Login.asp page. For Autocookie mode, if the request does not have a valid MSCSProfile ticket, the request is redirected to the Autocookie.asp page.

When a user accesses a site with multiple Web servers, the request is directed to a particular server based on load balancing or a round-robin algorithm. When the request arrives at the server, the user is asked to log on.

If you are using the Active Directory directory service for authentication, the logon is cached by the ISAPI filter and is specific to that server. Commerce Server Core Systems also places a ticket cookie that contains the user ID on the client server.

To enable users to be seamlessly redirected to other Web servers in the cluster, you must make sure that sufficient information is passed to the ISAPI filter on the other servers so that the user can log on. You must write custom code to hide this process from the user. To write the custom code, do the following:

1. Extend the Profiles store to store the password.

2. Capture the password in the Profiles store during logon or site registration.

3. Modify the site registration or logon page to check for the presence of the ticket cookie. If the cookie exists, use the MSCSAuthManager object to get the user ID from the cookie and retrieve the user name and password from the Profiles store. You can then pass the user name and password back to the ISAPI filter.

4. To operate in a load-balanced cluster, you must store the passwords with reversible encryption. Because passwords are captured on the logon page and written to the Profiles store, the logon page also captures password changes. However, if you use Active Directory tools to change a password during a browser session, the user will be prompted for logon information and the new password will be captured.

See Also

Other Resources

Authentication Concepts and Tasks

What Is the Commerce Server Membership Provider?

How to Enable Logons by Using the Commerce Server Membership Provider

How to Restore AuthFilter Functioning