When the Post method is used, the submitted user ID and password are placed in the HTTP body and are not available to the AuthFilter until after the login page processes the request. This requires an additional step beyond those used when processing a request that uses the Get method. This step entails appending the user ID and password to the URL query string. For a code example showing these steps, see Code to Retrieve Login Credentials Using the Post Method and Set an MSCSAuth Ticket.
The following steps are taken:
Initially, the submitted user ID and password are unavailable to the AuthFilter and processing is immediately returned to the login page.
In the login page, the submitted user ID and password are retrieved from the txtUserName and txtPassword properties of the Form collection of the Request object.
Using the submitted user ID, the profile of the user is retrieved from the Commerce Server Profiles resource or another profile system.
If the user does not have a profile, the user is redirected to the registration page.
If the user does have a profile, but the password associated with the profile does not match the submitted password, the login page is resent to the user.
If the passwords do match, the AuthManager object is used to set the MSCSAuth ticket into a session cookie for the user.
The user ID and password are appended to the original URL query string, which was previously stored by the AuthFilter in the MSCSFirstRequestedURL property of a separate session cookie, using two properties, proxyuser and proxypwd. The query string resembles the following:
The user is redirected to the original URL.
IIS notifies the AuthFilter that it is sending the redirect response by signaling the SF_NOTIFY_SEND_RESPONSE event.
The AuthFilter removes the user ID and password from the URL query string. The credentials are not sent to the browser.
The AuthFilter checks for the user ID in the password cache and, if found, updates the password.
If the user ID is not found, a new entry is made using the user ID and password.
When the browser resubmits the request, the AuthFilter determines the ticket is valid and returns processing to IIS.
If the user has access rights to the requested URL, it is returned.