AuthManager Object
Use this object to perform user identification and authentication and to manage user security information. This object also contains methods for cookie and cookieless browsing.
ProgID: | Commerce.AuthManager (Externally creatable) |
COM Class Name: | MSCSAuthManager |
COM Interface Name: | IMSCSAuthManager |
Interface ID Constant: | IID_IMSCSAuthManager |
Header File: | MSCSAuth.h |
Type Library Name: | Microsoft Commerce 2000 AuthManager Type Library |
DLL Name: | mscsauth.dll |
Threading Model: | Both |
The AuthManager object is intended to be used only through ASP script. However, the following methods are available in C++ through the IMSCSAuthManager interface: GenerateEncryptionKey, GetUserIDFromCookie, Initialize, Refresh, and UnInitialize.
The methods of the AuthManager object are shown in the following table.
Method | Description |
GenerateEncryptionKey | Generates an encryption key for the administration of cookie data. Use this method in administrative or setup components only. |
GetProperty | Retrieves the specified custom property stored in a cookie or query string. |
GetURL | Generates a Uniform Resource Locator (URL) containing optional name/value pairs. |
GetUserID | Retrieves the unique ID for the current user. |
GetUserIDFromCookie | Retrieves a user ID from a cookie. |
Initialize | Initializes the AuthManager object by caching all the required site configuration resource properties. |
IsAuthenticated | Indicates whether or not a user is currently authenticated. |
Refresh | Updates the cached site configuration resource properties after any of the properties have been changed. |
SetAuthTicket | Generates an encrypted MSCSAuth ticket for a registered user. |
SetProfileTicket | Generates an encrypted MSCSProfile ticket for an anonymous user. |
SetProperty | Adds a property/value pair to a cookie or query string containing a ticket. |
SetUserID | Sets the user ID property on a ticket. |
UnInitialize | Removes the site-specific configuration resource properties from the cache. |
URLArgs | Generates a URL-encoded query string from arrays of parameter names and values. |
URLShopperArgs | Generates a URL-encoded query string from arrays of parameter names and values and appends the ticket of the user to the string. |
Remarks
The AuthManager object identifies users and gathers information used for user authentication. The methods and properties of this object control and access the contents of cookies and encoded URL strings.
In the Commerce Server 2000 context, authentication uses tickets. A ticket is a string of property/value pairs that provide information about the user. Two types of tickets are supported. An authentication ticket, named MSCSAuth, is used for registered users while a profile ticket, named MSCSProfile, is used for anonymous users. In this context, registered means a user who has provided information to a site that can be used for identification.
A user may have both types of tickets. In this case, the MSCSAuth ticket takes precedence.
A ticket contains a unique user ID, and for authentication tickets, the time of last login and a time window. For an anonymous user who allows cookies, the MSCSProfile ticket is stored on the local computer of the user as a persistent cookie. For a registered user who allows cookies, the MSCSAuth ticket is stored in a session cookie and is valid for the duration of the session or a specified time window, and then is deleted.
If the user does not allow cookies, the ticket is placed in an encoded URL string. The URL string may be used to pass user information between pages and sites, provided all the URLs and query strings are generated by the AuthManager object.
The AuthManager object provides a transparent interface to the tickets, whether they are stored in cookies or in URL query strings, and handles encryption and decryption of the tickets to ensure security.
The AuthManager object is intended to be used only through Active Server Pages (ASP) since it depends on ASP intrinsic objects. Do not create the AuthManager object in application scope as it has dependencies on individual user sessions. The AuthManager object should be created and destroyed on each ASP page.