Commerce Server Security

Commerce Server provides two tools to manage user authentication and identification: the AuthManager object and the AuthFilter.

  • AuthManager is a Component Object Model (COM) object that exposes methods for identifying users and controlling access to dynamically generated content. For example, a site developer could invoke the GetUserID method of AuthManager object to identify a user based on a cookie or a query string.

  • AuthFilter is an Internet Server API (ISAPI) filter that is used at the Internet Information Services (IIS) Commerce Server application level. It can be applied to all users visiting the application. You configure properties used by AuthFilter at the global CS Authentication level. You configure the authentication mode at the application level. You can choose the following authentication modes: Windows Authentication, Custom Authentication, and Autocookie.

When you configure the AuthManager object and AuthFilter, the authentication properties are stored in the Administration database. The CS Authentication resource interacts with the Config objects to store and retrieve the properties from the Administration database.

The Solution Sites do not use AuthFilter because they are designed to support cookieless shopping.

The following table summarizes the differences among the features supported by AuthFilter, the AuthManager object, and the Solution Sites.

Feature AuthFilter AuthManager Solution Sites
Checks whether session cookies (non-persistent cookies) are supported Yes No Yes
Supports cookieless shopping No Yes Yes
Provides granular access control using access control lists (ACLs) Yes No No
Supports custom login pages for retrieving Windows credentials Yes Yes No
URL case correction Yes No Yes

This section contains:

See Also

Planning for Security

Working with Site Security and Filters

Site Security Objects

Managing the CS Authentication Resource

Commerce Server Security Checklist

Securing Your Site

All rights reserved.