What is Direct Mail Authentication?
The DirectMail authentication module provides the mechanism to initialize a site to run as a specific user.
DirectMail Authentication Module
The DirectMail authentication mechanism is as follows:
DirectMailer generates a Commerce AuthTicket as a specific user. If the value of UserId is encrypted and set as the AuthTicket value, the ticket is added as a cookie to the HTTP Request that the DirectMailer issues to the Url page (or the SourceLocation page if MailingListUser.Url is not specified).
Note
If the MSCSProfile cookie is empty or not set, but a unique user ID cookie such as user e-mail cookie is set, a StaticList that contains users without profiles may have been used. You can create a static list of users who have profiles by merging an expression list into the static list. For more information about merging expression lists, see How to Merge Lists.
The Commerce site that hosts this page should have the profiles/userProfile and CommerceDirectMailerAuthenticationModule sections configured correctly for the page to be able to decrypt the AuthTicket. You can set up the DirectMailer Authentication module section by adding the following line to the httpModules section of the Web.config file:
<add name="CommerceDirectMailerAuthenticationModule" type="Microsoft.CommerceServer.Runtime.CommerceDirectMailerAuthenticationModule, Microsoft.CommerceServer.Runtime, Version=6.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />The DirectMail Authentication module subscribes to the AuthenticateRequest event of the request processing sequence. When this event occurs, the following steps occur:
The DirectMail Authentication module decrypts the AuthTicket, verifying it is a valid ticket. If not valid, the event handler returns immediately.
If the ticket is valid, the DirectMail Authentication module sets the UserID property equal to the value decrypted from the AuthTicket.
It makes a call to the Profiles System to retrieve the profile of this user (based on the settings in the userProfile Web.config element). If no profile is found, the module returns immediately.
If a matching profile is found, it is stored in the UserProfile property.
The module then creates a GenericPrincipal object with GenericIdentity. During the GenericIdentity new() method, the name and type strings are specified as follows:
The userIdKey attribute refers to the name parameter Profile Property. By default, that property is, GeneralInfo.email_address.
The type is a custom string, DM Authentication Type.
The HttpContext.Current.User property is set to the GenericPrincipal object.
Other downstream callers can now access:
HttpContext.Current.User as they would for other ASP.NET pages.
CommerceContext.Current.UserID and UserProfile properties as they would on other Commerce Server Core Systems–specific ASP.NET pages.
Dependency on Commerce Server Core System Authentication Global Resource
For DirectMailer Authentication to work, there must be a Profiles global resource associated with the site. DirectMailer also uses the Commerce Server Core Systems Authentication global resource to obtain the encryption key that is used to encrypt the profile tickets.
The HTTP Auth module needs access to the same Commerce Server Core Systems Authentication global resource in order to decrypt the tickets. This resource must be associated with the site even if the site is using ASP.NET authentication.