About the Login Feature for Solution Sites

The files in the Login Folder provide most of the functionality of the login/logoff process.

Initialization

Initialization for the login feature occurs in the following file:

include\global_main_lib.asp

This file initializes the AppConfig object, which provides access to the Form login options property of the App Default Config Site resource in Commerce Server Manager. The login option constants are defined in the AppConsts 1.0 Type Library.

The following table lists the login options.

Login Option Value Description
FORM_LOGIN_NOT_SUPPORTED 0 Login is not supported.
FORCE_LOGIN_ON_ENTRANCE 1 Login is required to enter the site.
LOGIN_OPTIONAL_ON_ENTRANCE 2 Login is optional on entering the site.
FORCE_LOGIN_ON_PURCHASE 5 Login is required at the time of purchase (when a user visits a page in the Purchase pageset).
LOGIN_OPTIONAL_ANY_TIME 6 Login is optional at any time. This is the default for the Retail site.
USE_IIS_AUTH 7 Authentication is through Internet Information Services (IIS) using Basic or Integrated Windows authentication. This is the default for the Supplier site.

Browse Time

The following files display the login feature:

login\login.asp

The login form is rendered and validated using routines from the include\form_lib.asp file. As with other pages that use this library, the login form acts as both a form presentation page and a form acceptor page. On initial access, the page is rendered with an empty login form. On submittal, validation and (potentially) login occurs.

The login form is displayed using the template\no_menu.asp file. It contains User name and Password input text boxes. Additionally, if the user is anonymous and the login option is LOGIN_OPTIONAL_ON_ENTRANCE, a link to entering the site as an anonymous user (login\_guest.asp) is displayed. If registration is enabled on the site, a link to the registration page (login\newuser.asp) is rendered.

The following figure shows a sample login page for a site with registration enabled, and with the login option equal to LOGIN_OPTIONAL_ON_ENTRANCE. The user supplied invalid login credentials, which resulted in the red warning message.

Login page

Validation

This page first determines whether the login option is FORM_LOGIN_NOT_SUPPORTED or USE_IIS_AUTH. If either one, the user is immediately redirected to the home page (default.asp), as login is not logical in this context. By default, the login option for the Supplier site is USE_IIS_AUTH. Thus, form login is disabled for the Supplier site and the following discussion in not applicable. For information about enabling self registration for the Supplier site, see Enabling Self Registration for the Supplier Solution Site.

For all other login options, whether the page was posted or submitted is determined, and a test session cookie is written.

When the user submits the login form, the profile associated with the user is retrieved and used to validate the password (ValidateSubmittedLoginData). If the user does not have a profile or the password is not valid, the login form is redisplayed with a warning message. If the password is valid, the registered user ID is retrieved from the profile.

Post-validation

If the user is shopping as an anonymous user and then decides to register (or was forced to register because the login option equals FORCE_LOGIN_ON_PURCHASE), the contents of the user's basket are transferred to a new basket associated with the registered user ID (MoveBasketItems).

If the user allows session cookies, both Auth and Profile tickets are set in individual cookies. The Auth ticket is set to indicate the user is a logged in registered user. The Profile ticket is set so that when the user starts a new browser session, the same user ID is used (since this is only a Profile ticket, the user is not logged in). The site recognizes that the user ID is associated with a registered account and takes the user to the welcome back page where they can log in again. If the site is part of a Web farm, the date the profile for the user was last changed is set into a cookie. For more information, see About the Profiles Feature for Solution Sites.

If the user does not allow session cookies, an Auth ticket is set into a URL query string. A Profile ticket is not set since it would be unavailable when the user starts a new browser session. There is no need to set the date the profile for the user was last changed since, with cookies disabled, the profile for the user is automatically retrieved from the Profile store.

Finally, upon successful login, the user is redirected to the home page.

login\newuser.asp

This page is built to be self-posting and validating. On initial access, the page is rendered with an empty registration form. On submittal, validation and (potentially) profile creation and login occurs.

The registration process is similar to the login process. If registration is not supported on the site or the login option is either FORM_LOGIN_NOT_SUPPORTED or USE_IIS_AUTH, the user is immediately redirected to the home page.

For all other cases, whether the page was posted or submitted is determined, and a test session cookie is written. The registration form is displayed using the template\no_menu.asp file and contains User name, Password, and Confirm password input text boxes.

When the user submits the registration form, the submitted user name is checked against previous registered users to determine if the user name already exists (iValidateSubmittedRegistrationData). If it does, or if the password is syntactically invalid or does not match the confirmation password, the page is redisplayed with a warning message.

If you modify the code to change the minimum/maximum password and user name requirements, the Business Desk and Partner/Customer Services sections of the site must be updated to match.

Upon successful submission, if the user had a previous anonymous profile, it is changed to registered profile (mscsTransferGuestUserProfile). If not, a new profile is created and marked as a registered profile (mscsNewRegisteredUserProfile).

If the user allows session cookies, both Auth and Profile tickets are set in individual cookies. If the user does not allow session cookies, only the Auth ticket is set into a URL query string. For more information, see the discussion in the previous section (login\login.asp).

Finally, upon successful registration, the user is redirected to the home page as a new user. By default, self-registration is disabled for the Supplier Solution site. For information about enabling self-registration for the Supplier site, see Enabling Self-Registration for the Supplier Solution Site.

login\_guest.asp

This page redirects the anonymous user to the home page. If the user already has an Auth ticket, it is removed (effectively logging the user out). If profiling is allowed on the site, a new profile is created for the anonymous user (GetNewGuestUserProfile). Either way, a user ID is generated and set into a Profile ticket.

login\logoff.asp

Running this page logs a user off your site. Depending on the login mode and the browser, the user may have to perform additional steps to be completely and safely logged off your site. This page can also offer links to re-login, register as a new user, or enter the site as a new anonymous user, as appropriate.

See Also

Page-Level Access Control for Solution Sites

About the Profiles Feature for Solution Sites

About the User Tracking Feature for Solution Sites

Global Constants

Copyright © 2005 Microsoft Corporation.
All rights reserved.