Commerce Server Site User May Not Authenticate as Expected

When a user logs on to a Commerce Server 2000 site and visits a page on the site, the user may not be recognized as an authenticated user. The user may receive an error message (such as "Access denied") or may be returned to the log on page.

This problem occurs because the cookie that stores the user ID has an associated path that is case sensitive. Cookies are only sent with a request when the path in the request matches the path that is stored with the cookie. If the browser requests a URL in which the case of the request differs from the case that is stored in the cookie, the cookie that identifies the user is not sent. Therefore, the server cannot identify the user.

NOTE: This problem does not occur if a site uses the ISAPI filter, AuthFilter, for security because AuthFilter automatically corrects the case of the URL in requests that it receives. The solution sites also contain code to correct the case of the URL. This problem only occurs on sites that are created without the solution sites as a base, or sites that have been modified to remove this checking feature.

To resolve this problem, make sure that the case in all links is identical. Ideally, you should build all URLs using the virtual directory that is returned by the VirtualDirectory function of the AppFrameWork object or the GetURL function of the MSCSAuthManager object. You should also detect and correct the case of URLs that are presented to your site.

If you do not want to edit and change the code for the site, which the above resolutions suggest, use one of the following workarounds:

• Configure Commerce Server so that the path that is issued for authentication is not set in the cookie. To set the path of the cookie to the root of the site, follow these steps:
  
  
  1. Open the Commerce Server Manager Microsoft Management Console (MMC).
  2. Click to expand the Commerce Server Manager and Commerce Sites nodes, and then click to expand the desired site.
  3. Click to expand the Applications node, right-click the desired virtual directory, and then click Properties.
  4. Clear the Set cookie path to application check box, and then click Apply.
  5. Close all dialog boxes, and then restart Internet Information Server (IIS).
  NOTE: All Commerce Server 2000 sites that run on the same domain will overwrite the same cookie. For example, the sites "http://www.myshoppingmall.com/shop1" and "http://www.myshoppingmall.com/shop2" do not work together if both sites are using Commerce Server 2000.
• Enable AuthFilter for your site. This requires all client browsers that access the site to support cookies. This also includes certain security requirements that may not fit your site design. For more information, see the Commerce Server 2000 online documentation.

For more information about the values that are stored in Commerce Server cookies, see the "Cookies and Authentication" topic in the Commerce Server 2000 online documentation under the following sections: For more information about how AuthFilter corrects URLs, see the "Base Services" topic in the Commerce Server 2000 online documentation under the following sections: