What Is AuthFilter?
Note
Commerce Server 2009 provides AuthFilter for backward compatibility only. You should use the Commerce Server Membership Provider instead. For information about the Commerce Server Membership Provider, see What Is the Commerce Server Membership Provider?
Commerce Server 2009 provides AuthFilter, which is an ISAPI filter. AuthFilter alters the default behavior of Microsoft Internet Information Services (IIS) and affects how HTTP requests and responses are handled. To setup AuthFilter for the first time, see How to Restore AuthFilter Functioning.
By default, when you use AuthFilter, Commerce Server Core Systems installs AuthFilter at the IIS site level with low priority. This means that if other ISAPI filters are running in IIS, they will process requests before AuthFilter does. If you have ISAPI filters from other applications or custom ISAPI filters on your Web server, you can configure these ISAPI filters at a higher priority if you want those filters to process requests before AuthFilter does.
When AuthFilter is notified of an incoming request, it automatically does the following:
Detects whether the requested URL is correct. AuthFilter automatically corrects for the case sensitivity of the IIS virtual directory roots.
Warning
AuthFilter issues a redirect to correct the case in the requested URL. Any Post data in the requested URL is lost.
Checks whether the browser supports cookies. If the user's browser does not support cookies, AuthFilter redirects the user to a no-cookie page. AuthFilter requires that browsers support cookies.
Warning
AuthFilter issues a redirect when it verifies whether the browser supports cookies. Commerce Server Core Systems does this verification only on the first request during the session. Any Post data in the requested URL is lost.
Checks that the user has a valid ticket. For Windows and custom authentication modes, if the request does not contain a valid MSCSAuth ticket, the request is redirected to the Login.asp page. For Autocookie mode, if the request does not have a valid MSCSProfile ticket, the request is redirected to the Autocookie.asp page.
When a user accesses a site with multiple Web servers, the request is directed to a particular server based on load balancing or a round-robin algorithm. When the request arrives at the server, the user is asked to log on.
If you are using the Active Directory directory service for authentication, the logon is cached by the ISAPI filter and is specific to that server. Commerce Server Core Systems also places a ticket cookie that contains the user ID on the client server.
To enable users to be seamlessly redirected to other Web servers in the cluster, you must make sure that sufficient information is passed to the ISAPI filter on the other servers so that the user can log on. You must write custom code to hide this process from the user. To write the custom code, do the following:
Extend the Profiles store to store the password.
Capture the password in the Profiles store during logon or site registration.
Modify the site registration or logon page to check for the presence of the ticket cookie. If the cookie exists, use the MSCSAuthManager object to get the user ID from the cookie and retrieve the user name and password from the Profiles store. You can then pass the user name and password back to the ISAPI filter.
To operate in a load-balanced cluster, you must store the passwords with reversible encryption. Because passwords are captured on the logon page and written to the Profiles store, the logon page also captures password changes. However, if you use Active Directory tools to change a password during a browser session, the user will be prompted for logon information and the new password will be captured.
Note
You can address the previous authentication issue by deploying Application Center Request Forwarder, which can forward the request before authentication is assessed, and can then forward the user to the server that will recognize that user.
Note
AuthFilter and Commerce Server Core Systems manage the encryption of cookies internally. However, this level of encryption might not be secure enough for some environments. Use the Commerce Server Membership Provider to force Commerce Server Core Systems to use Secure Sockets Layer (SSL) to help create a more secure environment.
Note
If a user tries to log on to a Commerce Server Core Systems site and is continually redirected to the Login.aspx page, select the Set Cookie Path to Application check box in Commerce Server Manager to prevent the AuthTicket from being sent back to the client. Clear this check box to enable AuthFilter to work correctly. For more information about how to use this option, see How to Configure an Application.
Note
If you are using AuthFilter, you can configure multiple Commerce Server Core Systems applications to use a single logon page. To do this, you configure multiple Commerce Server Core Systems applications in IIS. For each IIS application, you need to deploy the Csapp.ini File and Global.asa files to the root of the application.
See Also
Other Resources
Authentication Concepts and Tasks
What Is the Commerce Server Membership Provider?
How to Enable Logons by Using the Commerce Server Membership Provider