Commerce Server Security
Commerce Server provides two tools to manage user authentication and identification: the AuthManager object and the AuthFilter.
AuthManager is a Component Object Model (COM) object that exposes methods for identifying users and controlling access to dynamically generated content. For example, a site developer could invoke the GetUserID method of AuthManager object to identify a user based on a cookie or a query string.
AuthFilter is an Internet Server API (ISAPI) filter that is used at the Internet Information Services (IIS) Commerce Server application level. It can be applied to all users visiting the application. You configure properties used by AuthFilter at the global CS Authentication level. You configure the authentication mode at the application level. You can choose the following authentication modes: Windows Authentication, Custom Authentication, and Autocookie.
When you configure the AuthManager object and AuthFilter, the authentication properties are stored in the Administration database. The CS Authentication resource interacts with the Config objects to store and retrieve the properties from the Administration database.
The Solution Sites do not use AuthFilter because they are designed to support cookieless shopping.
The following table summarizes the differences among the features supported by AuthFilter, the AuthManager object, and the Solution Sites.
| Feature | AuthFilter | AuthManager | Solution Sites |
| Checks whether session cookies (non-persistent cookies) are supported | Yes | No | Yes |
| Supports cookieless shopping | No | Yes | Yes |
| Provides granular access control using access control lists (ACLs) | Yes | No | No |
| Supports custom login pages for retrieving Windows credentials | Yes | Yes | No |
| URL case correction | Yes | No | Yes |
This section contains:
General Security Elements. Describes the main security elements that are used on a Commerce Server installation.
Commerce Server Authentication Methods. Describes the AuthManager object and the AuthFilter.
Authentication Tickets. Describes the MSCSProfile ticket and the MSCSAuth ticket, and explains how Commerce Server uses them to identify guest and registered users.
IIS Authentication Methods. Describes the Internet Information Services (IIS) 5.0 authentication methods used with Commerce Server.
For Additional Security Information. Lists additional resources for information about developing with the AuthManager object and AuthFilter, and lists links to topics about securing a site.
See Also
Working with Site Security and Filters
Managing the CS Authentication Resource