AuthManager Class (PIA)

Use this object to perform user identification and authentication, and to manage user security information. This object also contains methods for cookie and cookieless browsing.

Methods

Method Description
GenerateEncryptionKey Generates an encryption key for the administration of cookie data. Use this method in administration or setup components only.
GetProperty Retrieves the specified custom property stored in a cookie or query string.
GetURL Generates a Uniform Resource Locator (URL) containing optional name/value pairs.
GetUserID Retrieves the unique ID for the current user.
GetUserIDFromCookie Retrieves a user ID from a cookie.
Initialize Initializes the AuthManager object by caching all the required site configuration resource properties.
IsAuthenticated Indicates whether or not a user is currently authenticated.
Refresh Updates the cached site configuration resource properties after any of the properties have been changed.
SetAuthTicket Generates an encrypted AuthTicketType ticket for a registered user.
SetProfileTicket Generates an encrypted ProfileTicketType ticket for an anonymous user.
SetProperty Adds a property/value pair to a cookie or query string containing a ticket.
SetUserID Sets the user ID property on a ticket.
UnInitialize Removes the site-specific configuration resource properties from the cache.
URLArgs Generates an encoded URL query string from arrays of parameter names and values.
URLShopperArgs Generates an encoded Uniform Resource Locator (URL) query string of name/value pairs and append the ticket to the query string if a ticket is set.

Remarks

The AuthManager object identifies users and gathers information used for user authentication. The methods and properties of this object control and access the contents of cookies and encoded URL strings.

In the Commerce Server 2002 context, authentication uses tickets. A ticket is a string of property/value pairs that provide information about the user. Two types of tickets are supported. An authentication ticket, named AuthTicketType, is used for registered users while a profile ticket, named ProfileTicketType, is used for anonymous users. (These ticket types are defined in Microsoft.CommerceServer.Interop.TicketTypeEnum.) In this context, registered means a user who has provided information to a site that can be used for identification.

A user may have both types of tickets. In this case, the AuthTicketType ticket takes precedence.

A ticket contains a unique user ID, and for authentication tickets, the time of last login and a time window. For an anonymous user who allows cookies, the ProfileTicketType ticket is stored on the local computer of the user as a persistent cookie. For a registered user who allows cookies, the AuthTicketType ticket is stored in a session cookie and is valid for the duration of the session or a specified time window, and then is deleted.

If the user does not allow cookies, the ticket is placed in an encoded URL string. The URL string may be used to pass user information between pages and sites, provided all the URLs and query strings are generated by the AuthManager object.

The AuthManager object provides a transparent interface to the tickets, whether they are stored in cookies or in URL query strings, and handles encryption and decryption of the tickets to ensure security.

The AuthManager object is intended to be used only through Active Server Pages (ASP) since it depends on ASP intrinsic objects. Do not create the AuthManager object in application scope as it has dependencies on individual user sessions. The AuthManager object should be created and destroyed on each ASP page.

The methods GetUserIDFromCookie and GenerateEncryptionKey, facilitate rolling key encryption functionality. For more information about this feature, see Rolling Key Encryption for Authentication Tickets.

Any operation that requires decryption of the ticket will fail if you change the encryption key. One important instance of this behavior is with profile tickets, because they are persisted on the client computer. Hence when a user with a persisted profile ticket that was encrypted with the old key comes back to the site,the AuthManager object is not be able to decrypt this ticket. For more information about this issue, see Rolling Key Encryption for Authentication Tickets.

Requirements

Namespace: Microsoft.CommerceServer.Interop

Platforms: Windows 2000, Windows Server 2003

Assembly: mscsauthlib (in mscsauthlib.dll)

Copyright © 2005 Microsoft Corporation.
All rights reserved.