|
Authentication -- Self Authenticating
Scripts
written and ©1998, 99 by Kevin Flick www.flicks.com
creator of Authentix
Self-authenticating scripts usually provide a single URL entry point, with parameters
indicating the current state of the session and the content requested. Self-authenticating
scripts can be written as ASP, CGI, Win-CGI, or ISAPI dlls, and other variations.
Definitions
- ASP = Active Server Pages. The script communicates with IIS via server-variables.
- CGI = Common Gateway Interface. The script communicates with IIS via stdin and stdout.
- Win-CGI = Windows Common Gateway Interface. The script communicates with IIS via
temporary INI files.
How to use Self-authenticating scripts
There are too many variations to show how to create a self authenticating script in
this tutorial, however they all share a common means of authenticating.
When a request comes in and the content to be displayed is protected by a Basic
Authentication username and password, the script sends a 401 Access Denied message,
indicating the realm, and some html that is displayed to the user when the login attempt
fails.
A regular http reply looks like this:
HTTP/1.0 200 OK
Server: Microsoft-IIS/3.0
Date: Wed, 11 Mar 1999 16:31:52 GMT
Content-Type: text/html
Last-Modified: Wed, 18 Feb 1998 22:45:46 GMT
Content-Length: 1234
Content: Interesting Stuff
A 401 Access denied reply looks like this
HTTP/1.0 401 Access Denied
Content-type: text/html
Server: Microsoft-IIS/3.0
Date: Wed, 11 Mar 1999 16:35:47 GMT
WWW-Authenticate: Basic realm="Message in Popup"
Content: You cannot get in!
Once the script sends a 401 Access Denied message, the browser will pop up a dialog
indicating the realm, and invite the user to enter a username and password. The user will
not see the access denied content unless the login fails. Some browser keep retrying the
pop-up dialog until it succeeds or the users escapes out, others only pop-up three times.
If the user types in a username and password the browser will send them to the server
as a part of the http request header that looks like the following:
Authorization: Basic cGvcmU6cGRcmU=
The string "cGvcmU6cGRcmU=" is Base64 encoded.
The script will ask the server for this header by requesting the server variable
HTTP_AUTHORIZATION, and decode it. The resulting string will be in the format username:password
and the script can match these against acceptable values in order to determine whether to
transmit the content or issue another 401 Denied.
NB: In IIS4, the HTTP_AUTHORIZATION value may not be returned correctly by IIS.
In MMC, select the directory in which the ASP page calling this function resides. If Basic
(Clear Text) is off, and NTCR is on, then HTTP_AUTHORIZATION will not return the correct
value. This problem did not occur in IIS3. Microsoft bug Case Number is SR X980 2166010
644. Recommended workaround is to either
- turn Basic (Clear Text) off and NTCR off for that directory.OR
- turn Basic (Clear Text) on and NTCR on for that directory,
Make sure that Allow Anonymous is checked.
Self-authenticating scripts is the way to go if
- you have the skills, resources and time to do it.
- You want to generate your content in a single program
You won't want Self-authenticating scripts if
You want protected content in normal directory/file/html format
You are worried about maintaining the content. Scripts can become fairly complex when
the content becomes large, and changes are not easily made. If you have content stored in
a database then this can be more flexible, but you have the added complexity and
performance hit of interfacing to the database.
|