Included on this page:
The Pubcookie ISAPI filter uses the Internet Server Application
Programming Interface (ISAPI)
and the OpenSSL cryptography library to add Pubcookie-based
authentication to Microsoft Internet Information Services.
The Pubcookie filter specifically implements the application
server component of Pubcookie. It is written in C.
The Pubcookie filter provides the following functionality:
- user authentication via a separate Pubcookie login server
- per-application authentication session management
- per-application inactivity and hard timeouts
- per-application logout
This functionality can be configured server-wide or on a
per-application basis via the filter's registry settings.
The Pubcookie filter is controlled through properties set
in the Windows registry. Authentication is specifically controlled
by setting the AuthType property, which, depending on the
layout of the application on the filesystem and where authentication
is needed, might be applied to an entire website, a folder,
or just a single .asp file.
The Pubcookie filter uses the HTTP_PUBCOOKIE_USER
server variable to make each authenticated user's identity
(usually, a username) available to applications.
Pubcookie provides authentication not authorization: it identifies
who someone is, not what he or she is permitted to do. Therefore,
after authenticating a user, the Pubcookie filter's job is
done, and it's up to individual applications to decide what
to do next. In practice, application developers use ASP or
Global.asa files to implement authorization based on the user
identity presented to them by the Pubcookie filter.
IIS Server Variables
The Pubcookie filter sets the following IIS server variables:
||authenticated user's identity
||Pubcookie filter version
||first folder name from webroot
||Pubcookie credential level (i.e. auth type)
||hostname of the application server
The Pubcookie filter logs startup, terminate, and error messages
in the System event log under the W3SVC source. These messages
reflect the Windows account assigned to handle a request (if
one is assigned) not the remote user identity.