Login Page: Get Method and Post Method

  • Article

The site developer must create a Login.asp page for users to enter their credentials. You specify this login page in the Login Form property of the CS Authentication resource. For a sample Login.asp page, see the \Microsoft Commerce Server 2002\AuthFiles folder.

When the user requests the login page and the request is not a form submission, the page is sent to the user. The login page must have anonymous access rights because, at this point, the user is unauthenticated. The login page has a link to a registration page for new users. The user submits the login form containing the user ID and password. If either of these credentials is missing, the user is redirected back to the login page. AuthFilter performs different actions depending on whether the submission was through the Get method or the Post method.

For performance reasons, do not set any persistent cookies on the login page.

Get Method

Post Method

Get Method

When the Get method is used, the submitted user ID and password are placed in the HTTP header and are available to AuthFilter when it receives the SF_NOTIFY_PREPROC_HEADERS event. This occurs before the login page processes the request.

The following steps are taken:

  1. AuthFilter retrieves the submitted user ID and password from the QueryString collection properties, txtUserName and txtPassword.
  2. AuthFilter checks the password cache for an entry matching the user ID.
  3. If an entry is found, the password is updated with the submitted password.
  4. If an entry is not found, a new entry is made using the submitted user ID and password.
  5. AuthFilter returns processing to the login page.
  6. In the login page, the submitted user ID and password are retrieved from the txtUserName and txtPassword properties of the QueryString collection of the Request object.
  7. Using the submitted user ID, the profile of the user is retrieved from the Commerce Server Profiles resource or another profile system.
  8. If the user does not have a profile, the user is redirected to the registration page.
  9. If the user has a profile, but the password associated with the profile does not match the submitted password, the login page is resent to the user.
  10. If the passwords do match, the AuthManager object is used to set the MSCSAuth ticket into a session cookie for the user.
  11. The user is redirected to the original URL, which was previously stored by AuthFilter in the MSCSFirstRequestedURL property of a separate session cookie.
  12. When the browser resubmits the request, AuthFilter determines the ticket is valid and returns processing to IIS.
  13. If the user has access rights to the URL, the URL is returned.

Post Method

When the Post method is used, the submitted user ID and password are placed in the HTTP body and are not available to AuthFilter until after the login page processes the request. This requires an additional step beyond those used when processing a request that uses the Get method. This step entails appending the user ID and password to the URL query string. For a code example showing these steps, see Code to Retrieve Login Credentials Using the Post Method and Set an MSCSAuth Ticket.

The following steps are taken:

  1. Initially, the submitted user ID and password are unavailable to AuthFilter and processing is immediately returned to the login page.

  2. In the login page, the submitted user ID and password are retrieved from the txtUserName and txtPassword properties of the Form collection of the Request object.

  3. Using the submitted user ID, the profile of the user is retrieved from the Commerce Server Profiles resource or another profile system.

  4. If the user does not have a profile, the user is redirected to the registration page.

  5. If the user does have a profile, but the password associated with the profile does not match the submitted password, the login page is resent to the user.

  6. If the passwords do match, the AuthManager object is used to set the MSCSAuth ticket into a session cookie for the user.

  7. The user ID and password are appended to the original URL query string, which was previously stored by AuthFilter in the MSCSFirstRequestedURL property of a separate session cookie, using two properties, proxyuser and proxypwd. The query string resembles the following:

       "<MSCSFirstRequestedURL>&proxyuser=UserID&proxypwd=Password"

  8. The user is redirected to the original URL.

  9. IIS notifies AuthFilter that it is sending a redirect response by signaling the SF_NOTIFY_SEND_RESPONSE event.

  10. AuthFilter removes the user ID and password from the URL query string. The credentials are not sent to the browser.

  11. AuthFilter checks for the user ID in the password cache and, if found, updates the password.

  12. If the user ID is not found, a new entry is made using the user ID and password.

  13. When the browser resubmits the request, AuthFilter determines that the ticket is valid and returns processing to IIS.

  14. If the user has access rights to the requested URL, the URL is returned.

See Also

BDSecurity Object

Processing User Requests in Windows Authentication Mode

Code to Retrieve Login Credentials Using the Post Method and Set an MSCSAuth Ticket

Copyright © 2005 Microsoft Corporation.
All rights reserved.