What Is AuthManager?
In earlier versions of Commerce Server Core Systems, the AuthManager object was provided to manage user authentication. If you are creating a new Commerce Server Core Systems application, you should use the Commerce Server Membership Provider to authenticate users, instead of the AuthManager object. AuthManager is provided for backward compatibility only.
For more information about the Commerce Server Membership provider, see What Is the Commerce Server Membership Provider? and How to Enable Logons by Using the Commerce Server Membership Provider.
The AuthManager Object
The AuthManager object identifies users and gathers information that is used for user authentication. The methods and properties of the AuthManager object control and access the contents of cookies and encoded URL strings.
Authentication uses tickets to provide information about the user. A ticket is a string of property/value pairs. AuthManager supports two types of tickets: an MSCSAuth ticket and an MSCSProfile ticket. The following table summarizes the differences between the MSCSAuth ticket and the MSCSProfile ticket.
Characteristic |
MSCSAuth ticket |
MSCSProfile ticket |
|---|---|---|
Storage |
Session cookie/encoded URL string |
Persistent cookie/encoded URL string |
User Type |
Registered |
Anonymous |
Contents |
Unique user ID, last logon time, time window |
Unique user ID |
In this context, "registered" refers to a user who has successfully completed the registration process for the site.
The AuthManager object provides methods to put the ticket into a cookie or into an encoded URL string, depending on whether cookies are enabled on the client. When you use the AuthManager object together with the AuthFilter ISAPI filter, cookies must be enabled.
For an MSCSAuth ticket, the AuthManager object can check the validity of the ticket using the IsAuthenticated method. The IsAuthenticated method checks whether the request from the user contains an MSCSAuth ticket. If the request does contain an MSCSAuth ticket, the method checks the current time against the last logon time set on the ticket to see whether the logon time is within the time window specified in the ticket. If it is, the method returns True, indicating that this is a valid MSCSAuth ticket. If the current time is within five minutes of the last logon time plus the time window, the last logon time on the ticket is updated to the current time so the active user can continue browsing.
Note
If a user has both an MSCSAuth ticket and an MSCSProfile, the MSCSAuth ticket takes precedence.
Note
The MSCSAuth ticket time-out starts when the user first logs on and is not reset upon subsequent updates. This causes the IsAuthenticated method to return false. If you need the time-out value to be reset upon each refresh of a page, you will have to issue a new ticket every time. However, this can adversely affect performance. If you must reissue a new ticket, make sure that you check whether the user is already authenticated first before issuing a new ticket.
If the user does not allow cookies, the ticket is stored in an encoded URL string. The URL string can be used to pass user information between pages and Web sites, as the AuthManager object generates all the URLs and query strings.
The AuthManager object provides a transparent interface to the tickets, whether they are stored in cookies or in URL query strings, and handles encryption and decryption of the tickets to help ensure security.
The AuthManager object must be used with ASP, because it depends on ASP intrinsic objects. Do not create the AuthManager object in application scope, because it depends on an individual user session. Create and destroy an AuthManager object on each ASP page.
See Also
Other Resources
Authentication Concepts and Tasks
What Is the Commerce Server Membership Provider?
How to Enable Logons by Using the Commerce Server Membership Provider