Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Commerce Server Site User May Not Authenticate as Expected


View products that this article applies to.

This article was previously published under Q277542

↑ Back to the top


Symptoms

When a user logs on to a Commerce Server 2000 site and visits a page on the site, the user may not be recognized as an authenticated user. The user may receive an error message (such as "Access denied") or may be returned to the log on page.

↑ Back to the top


Cause

This problem occurs because the cookie that stores the user ID has an associated path that is case sensitive. Cookies are only sent with a request when the path in the request matches the path that is stored with the cookie. If the browser requests a URL in which the case of the request differs from the case that is stored in the cookie, the cookie that identifies the user is not sent. Therefore, the server cannot identify the user.

NOTE: This problem does not occur if a site uses the ISAPI filter, AuthFilter, for security because AuthFilter automatically corrects the case of the URL in requests that it receives. The solution sites also contain code to correct the case of the URL. This problem only occurs on sites that are created without the solution sites as a base, or sites that have been modified to remove this checking feature.

↑ Back to the top


Resolution

To resolve this problem, make sure that the case in all links is identical. Ideally, you should build all URLs using the virtual directory that is returned by the VirtualDirectory function of the AppFrameWork object or the GetURL function of the MSCSAuthManager object. You should also detect and correct the case of URLs that are presented to your site.

↑ Back to the top


Workaround

If you do not want to edit and change the code for the site, which the above resolutions suggest, use one of the following workarounds:
  • Configure Commerce Server so that the path that is issued for authentication is not set in the cookie. To set the path of the cookie to the root of the site, follow these steps:

    1. Open the Commerce Server Manager Microsoft Management Console (MMC).
    2. Click to expand the Commerce Server Manager and Commerce Sites nodes, and then click to expand the desired site.
    3. Click to expand the Applications node, right-click the desired virtual directory, and then click Properties.
    4. Clear the Set cookie path to application check box, and then click Apply.
    5. Close all dialog boxes, and then restart Internet Information Server (IIS).
    NOTE: All Commerce Server 2000 sites that run on the same domain will overwrite the same cookie. For example, the sites "http://www.myshoppingmall.com/shop1" and "http://www.myshoppingmall.com/shop2" do not work together if both sites are using Commerce Server 2000.
  • Enable AuthFilter for your site. This requires all client browsers that access the site to support cookies. This also includes certain security requirements that may not fit your site design. For more information, see the Commerce Server 2000 online documentation.

↑ Back to the top


More information

For more information about the values that are stored in Commerce Server cookies, see the "Cookies and Authentication" topic in the Commerce Server 2000 online documentation under the following sections:
Getting Started
Commerce Server Concepts
Cookies and Authentication
For more information about how AuthFilter corrects URLs, see the "Base Services" topic in the Commerce Server 2000 online documentation under the following sections:
Developing Your Site
Working with Site Security and Filters
AuthFilter
Base Services

↑ Back to the top


Keywords: KB277542, kbprb, kbpending

↑ Back to the top

Article Info
Article ID : 277542
Revision : 4
Created on : 10/22/2003
Published on : 10/22/2003
Exists online : False
Views : 462