Pubcookie Home > Documentation 
ISAPI Filter Overview
Component:  pubcookie filter
Audience:  All
Modified:  February 20, 2003

Included on this page:

What is the Pubcookie ISAPI Filter?

The Pubcookie ISAPI filter uses the Internet Server Application Programming Interface (ISAPI) and the OpenSSL cryptography library to add Pubcookie-based authentication to Microsoft Internet Information Services. The Pubcookie filter specifically implements the application server component of Pubcookie. It is written in C.

Functionality Review

The Pubcookie filter provides the following functionality:

  • user authentication via a separate Pubcookie login server
  • per-application authentication session management
  • per-application inactivity and hard timeouts
  • per-application logout
  • logging

This functionality can be configured server-wide or on a per-application basis via the filter's registry settings.

Authentication Interfaces

The Pubcookie filter is controlled through properties set in the Windows registry. Authentication is specifically controlled by setting the AuthType property, which, depending on the layout of the application on the filesystem and where authentication is needed, might be applied to an entire website, a folder, or just a single .asp file.

The Pubcookie filter uses the HTTP_PUBCOOKIE_USER server variable to make each authenticated user's identity (usually, a username) available to applications.

Authorization Issues

Pubcookie provides authentication not authorization: it identifies who someone is, not what he or she is permitted to do. Therefore, after authenticating a user, the Pubcookie filter's job is done, and it's up to individual applications to decide what to do next. In practice, application developers use ASP or Global.asa files to implement authorization based on the user identity presented to them by the Pubcookie filter.

IIS Server Variables

The Pubcookie filter sets the following IIS server variables:

    Server Variable Description
    HTTP_PUBCOOKIE_USER authenticated user's identity
    HTTP_PUBCOOKIE_VERSION Pubcookie filter version
    HTTP_PUBCOOKIE_APPID first folder name from webroot
    HTTP_PUBCOOKIE_CREDS Pubcookie credential level (i.e. auth type)
    HTTP_PUBCOOKIE_SERVER hostname of the application server


The Pubcookie filter logs startup, terminate, and error messages in the System event log under the W3SVC source. These messages reflect the Windows account assigned to handle a request (if one is assigned) not the remote user identity.

[Pubcookie Home Page]
Copyright © 2002-2008 University of Washington
UW Technology Services
Pubcookie Contact Info
Modified: February 20, 2003