Comparison of AuthFilter and AuthManager

Commerce Server 2002

Commerce Server provides two tools used to manage user authentication and identification:

  • AuthManager. A Component Object Model (COM) object that exposes methods for identifying users and controlling access to dynamically generated content. For example, a site developer can invoke the GetUserID method of AuthManager to identify a user based on the ticket contained in a cookie or query string. AuthManager is used on every secured ASP page on your site, to check whether the user is allowed to view the page using the IsAuthenticated method.

    AuthManager supports cookieless shopping. An Authentication Ticket must be appended to every URL query string created on the site to ensure that the authentication ticket is passed on for all requests. This is done through the GetUrl method. Note that only one ticket can be appended to the URL, with the MSCSAuth ticket having precedence over the MSCSProfile ticket.

    AuthManager is not dependent on any of the configuration settings that are applied during the unpacking process.

  • AuthFilter. An Internet Server API (ISAPI) filter used and configured at the Commerce Server application level. AuthFilter can be applied to all users visiting your site. You configure AuthFilter after unpacking a site. AuthFilter does not support cookieless shopping.

Summary of Differences Between AuthFilter and AuthManager

The following table summarizes the differences among the features supported by AuthFilter and the AuthManager object.

Features and
Custom Authentication
Checks whether session (non-persistent) cookies are supportedYesYesYesNo
Supports cookieless shoppingNoNoNoYes
Provides granular access control using access control lists (ACLs)YesNoNoNo
Supports custom login pagesYesYesNoNo

If the ticket is not validated using AuthManager, you can reroute the user request to a custom login page.

Supports URL case correctionYesYesYesNo
Supports Web farm environmentsYes, with some limitations on Post requestsYesYesYes
Uses ASP-intrinsicsNoNoNoYes
Supports using Active Directory for storing user profilesYesNoYes (*mixed mode)No
Supports using SQL Server for storing user profilesYes (Active Directory + SQL Server)YesYes (*mixed mode)Yes
Impersonates userYesNo
No (Anonymous)No (Anonymous)
Access Control Lists (ACLs)Virtual directory level and dynamic page levelVirtual directory levelAnonymous-onlyDynamic page level
Supports security credentials provided by the userYesCustom (Anonymous)AnonymousNo
Requires a cookie from the clientYesYesYesNo

* Mixed mode is the use of Autocookie Generation mode with either Custom Authentication mode or Windows Authentication mode.

Commerce Server authentication does not support heterogeneous scenarios, for example, a mixed environment of Windows 2000 and Unix servers.

See Also

Authentication Tickets



Copyright © 2005 Microsoft Corporation.
All rights reserved.