The Microsoft Commerce Server 2000 authentication filter (AuthFilter) operates according to a specific sequence of events. (Figure A illustrates this sequence.) In this description of the process, I start with a user who is working from a browser and who wants to access a URL on a Commerce Server Web site. Before authenticating the user, AuthFilter performs three tasks:
- It checks for the Commerce Server configuration options in the local site configuration cache. If these options aren't available, AuthFilter loads them from the Commerce Server administration database. These configuration settings tell AuthFilter where it must look for certain files it needs during the authentication sequence.
- It checks the format of the URL contained in the user's HTTP request. If necessary, AuthFilter changes the URL's case as the IIS virtual directory naming conventions require.
- It checks whether the browser supports cookies.
- The user hasn't accessed the site before (i.e., doesn't have a ticket), and the URL doesn't support anonymous access.
- The user has an invalid ticket.
- The user has a valid ticket but insufficient access rights.
Next, AuthFilter redirects the user to a logon form (by default, Login.asp) if one of the following statements is true:
In the logon form, the user can enter his or her credentials. If the user is a first-time visitor, AuthFilter adds the user's credentials to a local credential store. If the user is a returning visitor, AuthFilter authenticates the credentials against the copy of the credentials in the credential store. After AuthFilter has authenticated the user, it asks the authentication manager (AuthManager) to generate a ticket that AuthFilter will embed in a cookie and pass to the user. AuthFilter can then use this cookie and ticket to validate the user's identity on subsequent visits.
If the user has a valid ticket and sufficient access rights to the URL, or if the user doesn't have a valid ticket but the URL supports anonymous access, AuthFilter returns the requested URL to the user. If the user has disabled cookies in the browser, AuthFilter redirects the user to a special page that tells the user that access is denied to browsers with cookie support disabled (by default, NoCookie.asp).