Microsoft KB Archive/196074: Difference between revisions
m (Text replacement - ">" to ">") |
m (Text replacement - """ to """) |
||
| Line 67: | Line 67: | ||
The following example simulates when permissions are applied to a Web page by checking this variable and returning a 401 status if it is empty. If the user has been authenticated, then it stores the user name in a session variable so it can be used later without having to force authentication.<br /> | The following example simulates when permissions are applied to a Web page by checking this variable and returning a 401 status if it is empty. If the user has been authenticated, then it stores the user name in a session variable so it can be used later without having to force authentication.<br /> | ||
<br /> | <br /> | ||
Paste the following ASP code into Notepad and save the file in the root directory of your Web site as | Paste the following ASP code into Notepad and save the file in the root directory of your Web site as "401LogonUser.inc" (without the quotation marks):<br /> | ||
<pre class="codesample"><% | <pre class="codesample"><% | ||
' Check to see if the session variable is already populated. | ' Check to see if the session variable is already populated. | ||
If Session( | If Session("LOGON_USER") = "" Then | ||
' Check to see if the user has logged on at all. | ' Check to see if the user has logged on at all. | ||
If Request.ServerVariables( | If Request.ServerVariables("LOGON_USER") = "" Then | ||
' Force authentication if not. | ' Force authentication if not. | ||
Response.Clear | Response.Clear | ||
Response.Status = | Response.Status = "401 Access Denied" | ||
Response.End | Response.End | ||
Else | Else | ||
' Store the client's user name in a session variable. | ' Store the client's user name in a session variable. | ||
Session( | Session("LOGON_USER") = Request.ServerVariables("LOGON_USER") | ||
' Strip out an NT domain from the user name. | ' Strip out an NT domain from the user name. | ||
If InStr(Session( | If InStr(Session("LOGON_USER"),"\") then | ||
Session( | Session("LOGON_USER") = Mid(Session("LOGON_USER"),InStr(Session("LOGON_USER"),"\")+1) | ||
End If | End If | ||
| Line 93: | Line 93: | ||
Then include the following code at the very top of (at least) the first ASP page that needs the variable:<br /> | Then include the following code at the very top of (at least) the first ASP page that needs the variable:<br /> | ||
<pre class="codesample"> <%@ LANGUAGE= | <pre class="codesample"> <%@ LANGUAGE="VBSCRIPT"%> | ||
<!--#include virtual= | <!--#include virtual="/401LogonUser.inc"--> | ||
</pre> | </pre> | ||
<br /> | <br /> | ||
| Line 101: | Line 101: | ||
When the variable has been populated, you can then reference it when you need it, as follows:<br /> | When the variable has been populated, you can then reference it when you need it, as follows:<br /> | ||
<pre class="codesample"> <% somevariable = Session( | <pre class="codesample"> <% somevariable = Session("LOGON_USER") %> | ||
</pre> | </pre> | ||
<br /> | <br /> | ||
| Line 113: | Line 113: | ||
NOTE: Even after abandoning the session, the browser is still holding the logon credentials.<br /> | NOTE: Even after abandoning the session, the browser is still holding the logon credentials.<br /> | ||
<pre class="codesample"> <%@ LANGUAGE= | <pre class="codesample"> <%@ LANGUAGE="VBSCRIPT"%> | ||
<%Session.Timeout = 1%> | <%Session.Timeout = 1%> | ||
<!--#include virtual= | <!--#include virtual="/401LogonUser.inc"--> | ||
<html> | <html> | ||
<head><title>LOGON_USER Test</title></head> | <head><title>LOGON_USER Test</title></head> | ||
<body> | <body> | ||
Hello <%=UCase(Session( | Hello <%=UCase(Session("LOGON_USER"))%>! | ||
</body> | </body> | ||
</html> | </html> | ||
Latest revision as of 12:45, 21 July 2020
Article ID: 196074
Article Last Modified on 6/22/2005
APPLIES TO
- Microsoft Internet Information Server 3.0
- Microsoft Internet Information Server 4.0
This article was previously published under Q196074
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
SUMMARY
This article describes how to store an authenticated user name in a session variable for later use in Web pages.
MORE INFORMATION
Typically, when permissions are applied to a Web page and a client browses the page, a status code of 401 is returned to the browser and it displays a logon dialog. When the user enters a name and password, the client is either allowed to enter the site or denied access. If the user is allowed access, the server environment variable named LOGON_USER will contain the user name as entered by the client.
The following example simulates when permissions are applied to a Web page by checking this variable and returning a 401 status if it is empty. If the user has been authenticated, then it stores the user name in a session variable so it can be used later without having to force authentication.
Paste the following ASP code into Notepad and save the file in the root directory of your Web site as "401LogonUser.inc" (without the quotation marks):
<%
' Check to see if the session variable is already populated.
If Session("LOGON_USER") = "" Then
' Check to see if the user has logged on at all.
If Request.ServerVariables("LOGON_USER") = "" Then
' Force authentication if not.
Response.Clear
Response.Status = "401 Access Denied"
Response.End
Else
' Store the client's user name in a session variable.
Session("LOGON_USER") = Request.ServerVariables("LOGON_USER")
' Strip out an NT domain from the user name.
If InStr(Session("LOGON_USER"),"\") then
Session("LOGON_USER") = Mid(Session("LOGON_USER"),InStr(Session("LOGON_USER"),"\")+1)
End If
End If
End If
%>
Then include the following code at the very top of (at least) the first ASP page that needs the variable:
<%@ LANGUAGE="VBSCRIPT"%>
<!--#include virtual="/401LogonUser.inc"-->
You can include the code on every page if you want to be sure that a client has bypassed the starting page for a Web site or Web application.
When the variable has been populated, you can then reference it when you need it, as follows:
<% somevariable = Session("LOGON_USER") %>
You can also force the authentication process at any time by abandoning the session:
<%Session.Abandon%>
The following page illustrates the above examples in a page that will set the timeout to one minute, authenticate the user, and then authenticate the user if the page is refreshed after being left idle for the one minute timeout.
NOTE: Even after abandoning the session, the browser is still holding the logon credentials.
<%@ LANGUAGE="VBSCRIPT"%>
<%Session.Timeout = 1%>
<!--#include virtual="/401LogonUser.inc"-->
<html>
<head><title>LOGON_USER Test</title></head>
<body>
Hello <%=UCase(Session("LOGON_USER"))%>!
</body>
</html>
Keywords: kbhowto KB196074
