Case 3: Redirect to a Login Page

  • Article

In this case, cookies are enabled. The AuthFilter redirects the user to a login form for any of these scenarios:

  • The returned cookie does not contain an MSCSAuth ticket and the requested URL does not have anonymous access rights.

  • The returned cookie contains an invalid MSCSAuth ticket.

  • The returned cookie contains a valid MSCSAuth ticket but the user does not have access rights to the requested URL. The Active Server Pages (ASP) page to which the user should be redirected is specified in the s_Logon_Form ("Login Form" in the Commerce Server Manager user interface) property of the CS Authentication resource.

To accomplish this, the AuthFilter performs the following steps in the background after being notified by IIS that an SF_NOTIFY_PREPROC_HEADERS event has occurred:.

  1. Checks for site configuration properties in the local site cache and, if not found, reads the site configuration properties from the Administration database using a SiteConfig object.

  2. Sends a cookie with an MSCSFirstRequestedURL property set to the originally requested URL.

  3. If the returned cookie does not contain an MSCSAuth ticket, processing is returned to IIS.

  4. The requested URL does not have anonymous access rights, IIS signals the AuthFilter of the SF_NOTIFY_ACCESS_DENIED event, and the user is redirected to either a login page or an error page, as required.

  5. If the cookie does contain an MSCSAuth ticket, the AuthFilter checks the password cache for an entry matching the user ID contained in the cookie.

  6. If a matching entry is not found, the user is redirected to the login page.

  7. If a matching entry is found, the AuthFilter checks the current time against the login time to see if it is within the time window specified in the ticket.

  8. If the current time is past the time window specified in the ticket, the user is redirected to the login page.

  9. If the current time is within the time window, the ticket is considered valid, and the user ID and password are submitted to IIS for access to the requested URL.

  10. The user does not have access rights to the requested URL, IIS issues a SF_NOTIFY_ACCESS_DENIED notification, and the AuthFilter redirects the user to a login page.

For information about the events on the login page, see Login Page.

See Also

URL Request Outcomes

Case 1: Redirect to a Support Page

Case 2: Send the Requested URL


All rights reserved.