Re: Need to find out the actual file name of a cookie - Web Development Discussion Boards

Jeremy Falcon3-Jul-02 11:04

3-Jul-02 11:04

How to Create a Virtual Directory in IIS

Jeremy L. Falcon
Homepage : Sonork = 100.16311

"The height of your accomplishments will equal the depth of your convictions."
- William F. Scolavino

Need to find out the actual file name of a cookie

Chris LaQuerre3-Jul-02 9:11

Chris LaQuerre

3-Jul-02 9:11

First off, I'm open to suggestions for a better solution to my problem, but I think that I may have an idea that will work.

Background:
I work heavily with web development on a corporate Intranet. Our company has ~300 employees. We recently gave all employees the ability to post their own news items on the Intranet Home page. The users manually type their name into a form field and their IP address is logged when they submit items. However, our network assigns users a new IP address when they log onto the system, and we have no way to track this back the the original person that made the submission. Basically, if they lie about their first/last name, we would have no way of figuring out whe the person actually is.

Problem:
We need a way of logging some information about the user so that we can easily track things back to them if needed. Here is my idea: All users are on Windows NT. Windows NT stores all cookies as the users Windows Logon (in my case "laquerr_chj@ourwebsitename"). If it is possible to read and record the file name of any cookie stored on the users machine, then the problem would be solved. I looked at many scripts on the web and could not find a way to do this.

Chris LaQuerre
Internet Technologies Consultant

Re: Need to find out the actual file name of a cookie

Jeremy Falcon3-Jul-02 9:31

Jeremy Falcon

3-Jul-02 9:31

AFAIK the way cookies are implemented can be different from browser-to-browser. I've seen differences between IE and NS anyway. This may not be an issue, however, because if you are on an Intranet and it may be corporate policy to use a certain browser.

Regardless, I would not recommend using cookies at all for this. Instead, try using the AUTH_USER server variable to get the user that's currently logged in. This way, a user can hop on a different machine in the same domain or dare I say workgroup and still have their settings on the app.

I'm assuming you are using ASP, so the code for it will look a bit like so...

JScript<br />
<br />
var user = new String(Request.ServerVariables("AUTH_USER"));<br />
user = user.toUpperCase();<br />
<br />
VBScript<br />
<br />
Dim user<br />
user = UCase(Request.ServerVariables("AUTH_USER"))

Jeremy L. Falcon
Homepage : Sonork = 100.16311

"The height of your accomplishments will equal the depth of your convictions."
- William F. Scolavino

Re: Need to find out the actual file name of a cookie

Chris LaQuerre3-Jul-02 9:45

Chris LaQuerre

3-Jul-02 9:45

I actually tryed to do this using Server Variables at first but ran into one problem. The value returned for "AUTH_USER" on my PC is empty. I think that this is because visitors are not logging onto the web page at any point... they are just an anonomous visitor as far as the site is concerned. The file name of the cookie that I referred to in my original post is pulled from the user's Windows Logon. It is something that is done by the user's PC rather than the web server.

I also took a look at all other Server Variables and was unable to find anything that was unique as well as easily tracable back to my machine.

Also, the cookie differences between browsers shouldn't be an issue in my case. I am working in a controlled Intranet environment, and everyone in the company is standardized on IE 5.5.

By the way, thanks for the quick response.

Chris LaQuerre
Internet Technologies Consultant

Re: Need to find out the actual file name of a cookie

Jeremy Falcon3-Jul-02 10:04

Jeremy Falcon

3-Jul-02 10:04

Chris LaQuerre wrote:
The value returned for "AUTH_USER" on my PC is empty.

The server (or more correctly, web app) has to support user authentication. In the IIS management console specify something like "Basic Authentication" and it'll access the SAM on the NT client machine when going to the page.

Note, that if the user does not logon to a valid account in the domain, it'll prompt them for a username and password.

Chris LaQuerre wrote:
It is something that is done by the user's PC rather than the web server.

The server and client work together on this.

Chris LaQuerre wrote:
By the way, thanks for the quick response.

No problem. Smile | :)

Jeremy L. Falcon
Homepage : Sonork = 100.16311

"The height of your accomplishments will equal the depth of your convictions."
- William F. Scolavino

Re: Need to find out the actual file name of a cookie

Chris LaQuerre3-Jul-02 10:16

Chris LaQuerre

3-Jul-02 10:16

Jeremy Falcon wrote:
Note, that if the user does not logon to a valid account in the domain, it'll prompt them for a username and password.

What is considered to be a valid account in the domain? In my case, I would want everyone who is on the network to be allowed onto the site. Will this be true by default?

Chris LaQuerre
Internet Technologies Consultant

Re: Need to find out the actual file name of a cookie

Jeremy Falcon3-Jul-02 10:19

Jeremy Falcon

3-Jul-02 10:19

Chris LaQuerre wrote:
What is considered to be a valid account in the domain?

Anything with an account in the Primary Domain Controller (PDC) for that domain. If you are not using a domain, could you give me a bit more specs on the how the network is set-up, and then I can go from there?

Chris LaQuerre wrote:
Will this be true by default?

Yes, but if people log onto the domain anyway just to use their machine it's not a problem because it won't show.

Jeremy L. Falcon
Homepage : Sonork = 100.16311

"The height of your accomplishments will equal the depth of your convictions."
- William F. Scolavino

Re: Need to find out the actual file name of a cookie

Nick Parker4-Jul-02 5:09

Nick Parker

4-Jul-02 5:09

There are several options as to how you can set this up. Here is some code that will allow you to place a form on your page(using your own design for the company), check their user name and password and then you can log that later to a database if they supplied the correct NT user name and password. I would suggest placing this code into a Active X .dll, then you only need to create a object of it and call the SSPValidateUser method to validate the user(this will return a boolean). Here is the code, it is rather long. Hope this helps.

Option Explicit

Private Const HEAP_ZERO_MEMORY = &H8

Private Const SEC_WINNT_AUTH_IDENTITY_ANSI = &H1

Private Const SECBUFFER_TOKEN = &H2

Private Const SECURITY_NATIVE_DREP = &H10

Private Const SECPKG_CRED_INBOUND = &H1
Private Const SECPKG_CRED_OUTBOUND = &H2

Private Const SEC_I_CONTINUE_NEEDED = &H90312
Private Const SEC_I_COMPLETE_NEEDED = &H90313
Private Const SEC_I_COMPLETE_AND_CONTINUE = &H90314

Private Const VER_PLATFORM_WIN32_NT = &H2

Type SecPkgInfo
   fCapabilities As Long
   wVersion As Integer
   wRPCID As Integer
   cbMaxToken As Long
   Name As Long
   Comment As Long
End Type

Type SecHandle
    dwLower As Long
    dwUpper As Long
End Type

Type AUTH_SEQ
   fInitialized As Boolean
   fHaveCredHandle As Boolean
   fHaveCtxtHandle As Boolean
   hcred As SecHandle
   hctxt As SecHandle
End Type

Type SEC_WINNT_AUTH_IDENTITY
   User As String
   UserLength As Long
   Domain As String
   DomainLength As Long
   Password As String
   PasswordLength As Long
   Flags As Long
End Type

Type TimeStamp
   LowPart As Long
   HighPart As Long
End Type

Type SecBuffer
   cbBuffer As Long
   BufferType As Long
   pvBuffer As Long
End Type

Type SecBufferDesc
   ulVersion As Long
   cBuffers As Long
   pBuffers As Long
End Type

Public Type OSVERSIONINFO
   dwOSVersionInfoSize As Long
   dwMajorVersion As Long
   dwMinorVersion As Long
   dwBuildNumber As Long
   dwPlatformId As Long
   szCSDVersion As String * 128
End Type

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" _
      (Destination As Any, Source As Any, ByVal Length As Long)
   
Private Declare Function NT4QuerySecurityPackageInfo Lib "security" _
      Alias "QuerySecurityPackageInfoA" (ByVal PackageName As String, _
      ByRef pPackageInfo As Long) As Long

Private Declare Function QuerySecurityPackageInfo Lib "secur32" _
      Alias "QuerySecurityPackageInfoA" (ByVal PackageName As String, _
      ByRef pPackageInfo As Long) As Long

Private Declare Function NT4FreeContextBuffer Lib "security" _
      Alias "FreeContextBuffer" (ByVal pvContextBuffer As Long) As Long

Private Declare Function FreeContextBuffer Lib "secur32" _
      (ByVal pvContextBuffer As Long) As Long

Private Declare Function NT4InitializeSecurityContext Lib "security" _
      Alias "InitializeSecurityContextA" _
      (ByRef phCredential As SecHandle, ByRef phContext As SecHandle, _
      ByVal pszTargetName As Long, ByVal fContextReq As Long, _
      ByVal Reserved1 As Long, ByVal TargetDataRep As Long, _
      ByRef pInput As SecBufferDesc, ByVal Reserved2 As Long, _
      ByRef phNewContext As SecHandle, ByRef pOutput As SecBufferDesc, _
      ByRef pfContextAttr As Long, ByRef ptsExpiry As TimeStamp) As Long

Private Declare Function InitializeSecurityContext Lib "secur32" _
      Alias "InitializeSecurityContextA" _
      (ByRef phCredential As SecHandle, ByRef phContext As SecHandle, _
      ByVal pszTargetName As Long, ByVal fContextReq As Long, _
      ByVal Reserved1 As Long, ByVal TargetDataRep As Long, _
      ByRef pInput As SecBufferDesc, ByVal Reserved2 As Long, _
      ByRef phNewContext As SecHandle, ByRef pOutput As SecBufferDesc, _
      ByRef pfContextAttr As Long, ByRef ptsExpiry As TimeStamp) As Long

Private Declare Function NT4InitializeSecurityContext2 Lib "security" _
      Alias "InitializeSecurityContextA" _
      (ByRef phCredential As SecHandle, ByVal phContext As Long, _
      ByVal pszTargetName As Long, ByVal fContextReq As Long, _
      ByVal Reserved1 As Long, ByVal TargetDataRep As Long, _
      ByVal pInput As Long, ByVal Reserved2 As Long, _
      ByRef phNewContext As SecHandle, ByRef pOutput As SecBufferDesc, _
      ByRef pfContextAttr As Long, ByRef ptsExpiry As TimeStamp) As Long

Private Declare Function InitializeSecurityContext2 Lib "secur32" _
      Alias "InitializeSecurityContextA" _
      (ByRef phCredential As SecHandle, ByVal phContext As Long, _
      ByVal pszTargetName As Long, ByVal fContextReq As Long, _
      ByVal Reserved1 As Long, ByVal TargetDataRep As Long, _
      ByVal pInput As Long, ByVal Reserved2 As Long, _
      ByRef phNewContext As SecHandle, ByRef pOutput As SecBufferDesc, _
      ByRef pfContextAttr As Long, ByRef ptsExpiry As TimeStamp) As Long

Private Declare Function NT4AcquireCredentialsHandle Lib "security" _
      Alias "AcquireCredentialsHandleA" (ByVal pszPrincipal As Long, _
      ByVal pszPackage As String, ByVal fCredentialUse As Long, _
      ByVal pvLogonId As Long, _
      ByRef pAuthData As SEC_WINNT_AUTH_IDENTITY, _
      ByVal pGetKeyFn As Long, ByVal pvGetKeyArgument As Long, _
      ByRef phCredential As SecHandle, ByRef ptsExpiry As TimeStamp) _
      As Long
      
Private Declare Function AcquireCredentialsHandle Lib "secur32" _
      Alias "AcquireCredentialsHandleA" (ByVal pszPrincipal As Long, _
      ByVal pszPackage As String, ByVal fCredentialUse As Long, _
      ByVal pvLogonId As Long, _
      ByRef pAuthData As SEC_WINNT_AUTH_IDENTITY, _
      ByVal pGetKeyFn As Long, ByVal pvGetKeyArgument As Long, _
      ByRef phCredential As SecHandle, ByRef ptsExpiry As TimeStamp) _
      As Long
      
Private Declare Function NT4AcquireCredentialsHandle2 Lib "security" _
      Alias "AcquireCredentialsHandleA" (ByVal pszPrincipal As Long, _
      ByVal pszPackage As String, ByVal fCredentialUse As Long, _
      ByVal pvLogonId As Long, ByVal pAuthData As Long, _
      ByVal pGetKeyFn As Long, ByVal pvGetKeyArgument As Long, _
      ByRef phCredential As SecHandle, ByRef ptsExpiry As TimeStamp) _
      As Long
      
Private Declare Function AcquireCredentialsHandle2 Lib "secur32" _
      Alias "AcquireCredentialsHandleA" (ByVal pszPrincipal As Long, _
      ByVal pszPackage As String, ByVal fCredentialUse As Long, _
      ByVal pvLogonId As Long, ByVal pAuthData As Long, _
      ByVal pGetKeyFn As Long, ByVal pvGetKeyArgument As Long, _
      ByRef phCredential As SecHandle, ByRef ptsExpiry As TimeStamp) _
      As Long
      
Private Declare Function NT4AcceptSecurityContext Lib "security" _
      Alias "AcceptSecurityContext" (ByRef phCredential As SecHandle, _
      ByRef phContext As SecHandle, ByRef pInput As SecBufferDesc, _
      ByVal fContextReq As Long, ByVal TargetDataRep As Long, _
      ByRef phNewContext As SecHandle, ByRef pOutput As SecBufferDesc, _
      ByRef pfContextAttr As Long, ByRef ptsExpiry As TimeStamp) As Long

Private Declare Function AcceptSecurityContext Lib "secur32" _
      (ByRef phCredential As SecHandle, _
      ByRef phContext As SecHandle, ByRef pInput As SecBufferDesc, _
      ByVal fContextReq As Long, ByVal TargetDataRep As Long, _
      ByRef phNewContext As SecHandle, ByRef pOutput As SecBufferDesc, _
      ByRef pfContextAttr As Long, ByRef ptsExpiry As TimeStamp) As Long

Private Declare Function NT4AcceptSecurityContext2 Lib "security" _
      Alias "AcceptSecurityContext" (ByRef phCredential As SecHandle, _
      ByVal phContext As Long, ByRef pInput As SecBufferDesc, _
      ByVal fContextReq As Long, ByVal TargetDataRep As Long, _
      ByRef phNewContext As SecHandle, ByRef pOutput As SecBufferDesc, _
      ByRef pfContextAttr As Long, ByRef ptsExpiry As TimeStamp) As Long

Private Declare Function AcceptSecurityContext2 Lib "secur32" _
      Alias "AcceptSecurityContext" (ByRef phCredential As SecHandle, _
      ByVal phContext As Long, ByRef pInput As SecBufferDesc, _
      ByVal fContextReq As Long, ByVal TargetDataRep As Long, _
      ByRef phNewContext As SecHandle, ByRef pOutput As SecBufferDesc, _
      ByRef pfContextAttr As Long, ByRef ptsExpiry As TimeStamp) As Long

Private Declare Function NT4CompleteAuthToken Lib "security" _
      Alias "CompleteAuthToken" (ByRef phContext As SecHandle, _
      ByRef pToken As SecBufferDesc) As Long
    
Private Declare Function CompleteAuthToken Lib "secur32" _
      (ByRef phContext As SecHandle, _
      ByRef pToken As SecBufferDesc) As Long
    
Private Declare Function NT4DeleteSecurityContext Lib "security" _
      Alias "DeleteSecurityContext" (ByRef phContext As SecHandle) _
      As Long

Private Declare Function DeleteSecurityContext Lib "secur32" _
      (ByRef phContext As SecHandle) _
      As Long

Private Declare Function NT4FreeCredentialsHandle Lib "security" _
      Alias "FreeCredentialsHandle" (ByRef phContext As SecHandle) _
      As Long

Private Declare Function FreeCredentialsHandle Lib "secur32" _
      (ByRef phContext As SecHandle) _
      As Long

Private Declare Function GetProcessHeap Lib "kernel32" () As Long

Private Declare Function HeapAlloc Lib "kernel32" _
      (ByVal hHeap As Long, ByVal dwFlags As Long, _
      ByVal dwBytes As Long) As Long
        
Private Declare Function HeapFree Lib "kernel32" (ByVal hHeap As Long, _
      ByVal dwFlags As Long, ByVal lpMem As Long) As Long

Private Declare Function GetVersionExA Lib "kernel32" _
   (lpVersionInformation As OSVERSIONINFO) As Integer
      
Dim g_NT4 As Boolean
      
Private Function GenClientContext(ByRef AuthSeq As AUTH_SEQ, _
      ByRef AuthIdentity As SEC_WINNT_AUTH_IDENTITY, _
      ByVal pIn As Long, ByVal cbIn As Long, _
      ByVal pOut As Long, ByRef cbOut As Long, _
      ByRef fDone As Boolean) As Boolean
      
   Dim ss As Long
   Dim tsExpiry As TimeStamp
   Dim sbdOut As SecBufferDesc
   Dim sbOut As SecBuffer
   Dim sbdIn As SecBufferDesc
   Dim sbIn As SecBuffer
   Dim fContextAttr As Long

   GenClientContext = False
   
   If Not AuthSeq.fInitialized Then
      
      If g_NT4 Then
         ss = NT4AcquireCredentialsHandle(0&, "NTLM", _
               SECPKG_CRED_OUTBOUND, 0&, AuthIdentity, 0&, 0&, _
               AuthSeq.hcred, tsExpiry)
      Else
         ss = AcquireCredentialsHandle(0&, "NTLM", _
               SECPKG_CRED_OUTBOUND, 0&, AuthIdentity, 0&, 0&, _
               AuthSeq.hcred, tsExpiry)
      End If
      
      If ss < 0 Then
         Exit Function
      End If

      AuthSeq.fHaveCredHandle = True
   
   End If

   ' Prepare output buffer
   sbdOut.ulVersion = 0
   sbdOut.cBuffers = 1
   sbdOut.pBuffers = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, _
         Len(sbOut))
   
   sbOut.cbBuffer = cbOut
   sbOut.BufferType = SECBUFFER_TOKEN
   sbOut.pvBuffer = pOut
   
   CopyMemory ByVal sbdOut.pBuffers, sbOut, Len(sbOut)

   ' Prepare input buffer
   If AuthSeq.fInitialized Then
      
      sbdIn.ulVersion = 0
      sbdIn.cBuffers = 1
      sbdIn.pBuffers = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, _
            Len(sbIn))
      
      sbIn.cbBuffer = cbIn
      sbIn.BufferType = SECBUFFER_TOKEN
      sbIn.pvBuffer = pIn
      
      CopyMemory ByVal sbdIn.pBuffers, sbIn, Len(sbIn)
   
   End If

   If AuthSeq.fInitialized Then
      
      If g_NT4 Then
         ss = NT4InitializeSecurityContext(AuthSeq.hcred, _
               AuthSeq.hctxt, 0&, 0, 0, SECURITY_NATIVE_DREP, sbdIn, _
               0, AuthSeq.hctxt, sbdOut, fContextAttr, tsExpiry)
      Else
         ss = InitializeSecurityContext(AuthSeq.hcred, _
               AuthSeq.hctxt, 0&, 0, 0, SECURITY_NATIVE_DREP, sbdIn, _
               0, AuthSeq.hctxt, sbdOut, fContextAttr, tsExpiry)
      End If
   
   Else
      
      If g_NT4 Then
         ss = NT4InitializeSecurityContext2(AuthSeq.hcred, 0&, 0&, _
               0, 0, SECURITY_NATIVE_DREP, 0&, 0, AuthSeq.hctxt, _
               sbdOut, fContextAttr, tsExpiry)
      Else
         ss = InitializeSecurityContext2(AuthSeq.hcred, 0&, 0&, _
               0, 0, SECURITY_NATIVE_DREP, 0&, 0, AuthSeq.hctxt, _
               sbdOut, fContextAttr, tsExpiry)
      End If
   
   End If
   
   If ss < 0 Then
      GoTo FreeResourcesAndExit
   End If

   AuthSeq.fHaveCtxtHandle = True

   ' If necessary, complete token
   If ss = SEC_I_COMPLETE_NEEDED _
         Or ss = SEC_I_COMPLETE_AND_CONTINUE Then

      If g_NT4 Then
         ss = NT4CompleteAuthToken(AuthSeq.hctxt, sbdOut)
      Else
         ss = CompleteAuthToken(AuthSeq.hctxt, sbdOut)
      End If
      
      If ss < 0 Then
         GoTo FreeResourcesAndExit
      End If
      
   End If

   CopyMemory sbOut, ByVal sbdOut.pBuffers, Len(sbOut)
   cbOut = sbOut.cbBuffer

   If Not AuthSeq.fInitialized Then
      AuthSeq.fInitialized = True
   End If

   fDone = Not (ss = SEC_I_CONTINUE_NEEDED _
         Or ss = SEC_I_COMPLETE_AND_CONTINUE)

   GenClientContext = True
      
FreeResourcesAndExit:

   If sbdOut.pBuffers <> 0 Then
      HeapFree GetProcessHeap(), 0, sbdOut.pBuffers
   End If
   
   If sbdIn.pBuffers <> 0 Then
      HeapFree GetProcessHeap(), 0, sbdIn.pBuffers
   End If
   
End Function
      

Private Function GenServerContext(ByRef AuthSeq As AUTH_SEQ, _
      ByVal pIn As Long, ByVal cbIn As Long, _
      ByVal pOut As Long, ByRef cbOut As Long, _
      ByRef fDone As Boolean) As Boolean
      
   Dim ss As Long
   Dim tsExpiry As TimeStamp
   Dim sbdOut As SecBufferDesc
   Dim sbOut As SecBuffer
   Dim sbdIn As SecBufferDesc
   Dim sbIn As SecBuffer
   Dim fContextAttr As Long
   
   GenServerContext = False

   If Not AuthSeq.fInitialized Then
      
      If g_NT4 Then
         ss = NT4AcquireCredentialsHandle2(0&, "NTLM", _
               SECPKG_CRED_INBOUND, 0&, 0&, 0&, 0&, AuthSeq.hcred, _
               tsExpiry)
      Else
         ss = AcquireCredentialsHandle2(0&, "NTLM", _
               SECPKG_CRED_INBOUND, 0&, 0&, 0&, 0&, AuthSeq.hcred, _
               tsExpiry)
      End If
      
      If ss < 0 Then
         Exit Function
      End If

      AuthSeq.fHaveCredHandle = True
   
   End If

   ' Prepare output buffer
   sbdOut.ulVersion = 0
   sbdOut.cBuffers = 1
   sbdOut.pBuffers = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, _
         Len(sbOut))
   
   sbOut.cbBuffer = cbOut
   sbOut.BufferType = SECBUFFER_TOKEN
   sbOut.pvBuffer = pOut
   
   CopyMemory ByVal sbdOut.pBuffers, sbOut, Len(sbOut)

   ' Prepare input buffer
   sbdIn.ulVersion = 0
   sbdIn.cBuffers = 1
   sbdIn.pBuffers = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, _
         Len(sbIn))
   
   sbIn.cbBuffer = cbIn
   sbIn.BufferType = SECBUFFER_TOKEN
   sbIn.pvBuffer = pIn
   
   CopyMemory ByVal sbdIn.pBuffers, sbIn, Len(sbIn)
      
   If AuthSeq.fInitialized Then
      
      If g_NT4 Then
         ss = NT4AcceptSecurityContext(AuthSeq.hcred, AuthSeq.hctxt, _
               sbdIn, 0, SECURITY_NATIVE_DREP, AuthSeq.hctxt, sbdOut, _
               fContextAttr, tsExpiry)
      Else
         ss = AcceptSecurityContext(AuthSeq.hcred, AuthSeq.hctxt, _
               sbdIn, 0, SECURITY_NATIVE_DREP, AuthSeq.hctxt, sbdOut, _
               fContextAttr, tsExpiry)
      End If
      
   Else
         
      If g_NT4 Then
         ss = NT4AcceptSecurityContext2(AuthSeq.hcred, 0&, sbdIn, 0, _
               SECURITY_NATIVE_DREP, AuthSeq.hctxt, sbdOut, _
               fContextAttr, tsExpiry)
      Else
         ss = AcceptSecurityContext2(AuthSeq.hcred, 0&, sbdIn, 0, _
               SECURITY_NATIVE_DREP, AuthSeq.hctxt, sbdOut, _
               fContextAttr, tsExpiry)
      End If
   
   End If

   If ss < 0 Then
      GoTo FreeResourcesAndExit
   End If

   AuthSeq.fHaveCtxtHandle = True

   ' If necessary, complete token
   If ss = SEC_I_COMPLETE_NEEDED _
         Or ss = SEC_I_COMPLETE_AND_CONTINUE Then

      If g_NT4 Then
         ss = NT4CompleteAuthToken(AuthSeq.hctxt, sbdOut)
      Else
         ss = CompleteAuthToken(AuthSeq.hctxt, sbdOut)
      End If
      
      If ss < 0 Then
         GoTo FreeResourcesAndExit
      End If
      
   End If

   CopyMemory sbOut, ByVal sbdOut.pBuffers, Len(sbOut)
   cbOut = sbOut.cbBuffer
   
   If Not AuthSeq.fInitialized Then
      AuthSeq.fInitialized = True
   End If

   fDone = Not (ss = SEC_I_CONTINUE_NEEDED _
         Or ss = SEC_I_COMPLETE_AND_CONTINUE)

   GenServerContext = True
   
FreeResourcesAndExit:

   If sbdOut.pBuffers <> 0 Then
      HeapFree GetProcessHeap(), 0, sbdOut.pBuffers
   End If
   
   If sbdIn.pBuffers <> 0 Then
      HeapFree GetProcessHeap(), 0, sbdIn.pBuffers
   End If
   
End Function


Public Function SSPValidateUser(User As String, Domain As String, _
      Password As String) As Boolean

   Dim pSPI As Long
   Dim SPI As SecPkgInfo
   Dim cbMaxToken As Long
   
   Dim pClientBuf As Long
   Dim pServerBuf As Long
   
   Dim ai As SEC_WINNT_AUTH_IDENTITY
   
   Dim asClient As AUTH_SEQ
   Dim asServer As AUTH_SEQ
   Dim cbIn As Long
   Dim cbOut As Long
   Dim fDone As Boolean

   Dim osinfo As OSVERSIONINFO
   
   SSPValidateUser = False
   
   ' Determine if system is Windows NT (version 4.0 or earlier)
   osinfo.dwOSVersionInfoSize = Len(osinfo)
   osinfo.szCSDVersion = Space$(128)
   GetVersionExA osinfo
   g_NT4 = (osinfo.dwPlatformId = VER_PLATFORM_WIN32_NT And _
         osinfo.dwMajorVersion <= 4)

   ' Get max token size
   If g_NT4 Then
      NT4QuerySecurityPackageInfo "NTLM", pSPI
   Else
      QuerySecurityPackageInfo "NTLM", pSPI
   End If
   
   CopyMemory SPI, ByVal pSPI, Len(SPI)
   cbMaxToken = SPI.cbMaxToken
   
   If g_NT4 Then
      NT4FreeContextBuffer pSPI
   Else
      FreeContextBuffer pSPI
   End If

   ' Allocate buffers for client and server messages
   pClientBuf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, _
         cbMaxToken)
   If pClientBuf = 0 Then
      GoTo FreeResourcesAndExit
   End If
      
   pServerBuf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, _
         cbMaxToken)
   If pServerBuf = 0 Then
      GoTo FreeResourcesAndExit
   End If

   ' Initialize auth identity structure
   ai.Domain = Domain
   ai.DomainLength = Len(Domain)
   ai.User = User
   ai.UserLength = Len(User)
   ai.Password = Password
   ai.PasswordLength = Len(Password)
   ai.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI

   ' Prepare client message (negotiate) .
   cbOut = cbMaxToken
   If Not GenClientContext(asClient, ai, 0, 0, pClientBuf, cbOut, _
         fDone) Then
      GoTo FreeResourcesAndExit
   End If

   ' Prepare server message (challenge) .
   cbIn = cbOut
   cbOut = cbMaxToken
   If Not GenServerContext(asServer, pClientBuf, cbIn, pServerBuf, _
         cbOut, fDone) Then
      ' Most likely failure: AcceptServerContext fails with
      ' SEC_E_LOGON_DENIED in the case of bad szUser or szPassword.
      ' Unexpected Result: Logon will succeed if you pass in a bad
      ' szUser and the guest account is enabled in the specified domain.
      GoTo FreeResourcesAndExit
   End If

   ' Prepare client message (authenticate) .
   cbIn = cbOut
   cbOut = cbMaxToken
   If Not GenClientContext(asClient, ai, pServerBuf, cbIn, pClientBuf, _
         cbOut, fDone) Then
      GoTo FreeResourcesAndExit
   End If

   ' Prepare server message (authentication) .
   cbIn = cbOut
   cbOut = cbMaxToken
   If Not GenServerContext(asServer, pClientBuf, cbIn, pServerBuf, _
         cbOut, fDone) Then
      GoTo FreeResourcesAndExit
   End If

   SSPValidateUser = True

FreeResourcesAndExit:

   ' Clean up resources
   If asClient.fHaveCtxtHandle Then
      If g_NT4 Then
         NT4DeleteSecurityContext asClient.hctxt
      Else
         DeleteSecurityContext asClient.hctxt
      End If
   End If

   If asClient.fHaveCredHandle Then
      If g_NT4 Then
         NT4FreeCredentialsHandle asClient.hcred
      Else
         FreeCredentialsHandle asClient.hcred
      End If
   End If

   If asServer.fHaveCtxtHandle Then
      If g_NT4 Then
         NT4DeleteSecurityContext asServer.hctxt
      Else
         DeleteSecurityContext asServer.hctxt
      End If
   End If

   If asServer.fHaveCredHandle Then
      If g_NT4 Then
         NT4FreeCredentialsHandle asServer.hcred
      Else
         FreeCredentialsHandle asServer.hcred
      End If
   End If

   If pClientBuf <> 0 Then
      HeapFree GetProcessHeap(), 0, pClientBuf
   End If
   
   If pServerBuf <> 0 Then
      HeapFree GetProcessHeap(), 0, pServerBuf
   End If

End Function

Nick Parker

How to Use Session Level Connection

Pradhip3-Jul-02 6:49

Pradhip

3-Jul-02 6:49

Hi Folks:

I have about 7-8 Pages which all connect to the same database but then generate different record sets with different queries..

So i tried giving only my connection object defnition and opening the connection in global.asa file and then using it in the other asp pages as:-

objCommand.activeConnection=session("objconn") OR
objRS.OPEN(QUERYSTRING,objConn")

but then i am told the paramters im passing are wrong.And so i dont understand how..

Can somebody tell me if im making some fundamental mistake or is it just the code that i have to go through.. Big Grin | :-D

Why Need Parking lots in Bars when Drunken Driving is Prohibited

Re: How to Use Session Level Connection

Chris Rickard3-Jul-02 7:46

Chris Rickard

3-Jul-02 7:46

fundamental mistake:
Placing an open connection object is about the quickest way to bring a web server to its knees. I suggest placing only the connection string in the application object (assuming the connection string does not change throughout the lifetime of the application) this will give you something like thus:

Global.asa

Sub application_onstart 
	application("constring")="PROVIDER=SQLOLEDB;SERVER=localhost;DATABASE=pubs;uid=sa;pwd=;" 
end sub

anASPPage.asp

...
objRS.Open QUERYSTRING,Application("constring")

Or to go one step further in conserving resources:

objCon.Open Application("constring")
objRS.Open QUERYSTRING,objCon
...
objRS.Close
objCon.Close

Web Service Client

Fayez Al-Naddaf3-Jul-02 4:00

Fayez Al-Naddaf

3-Jul-02 4:00

Hello All
I am building a web service using ASP.NET. This web service will be used bu other ASP developers. My questions is: How can I use my web service from ASP (not ASP.NET) web application???
Thanks in advance Smile | :)

Re: Web Service Client

Pravesh Soni6-Jul-02 3:05

Pravesh Soni

6-Jul-02 3:05

Hi,

To access the web services form asp page you have to use the XMLHTTP.

The following snippet from my asp page.

Function GetAppSettings(appKey)

'declaration
Dim url, xmlhttp, dom, node

'Call web service using HTTP-GET method
url="http://localhost/myapp/service1.asmx/"
url=url & "GetAppSettings?key=" & appKey
set xmlhttp = server.createobject("Microsoft.XMLHTTP")
xmlhttp.open("GET",url,False)
xmlhttp.send

'parse the result
set dom=server.createobject("Microsoft.XMLDOM")
dom.load(xmlhttp.responsebody)
set node=dom.selectsinglenode("//string")
if not node is nothing then
GetAppSettings = node.text
end if
End Function

Response.Write GetAppSettings("SpecialOffer")

Cheers,
Entry

ASP.NET and non-unique Session IDs

Paul Watson3-Jul-02 3:57

Paul Watson

3-Jul-02 3:57

Can anyone coroborate a mad client of mine who swears that MS themselves say that Session IDs can sometimes not be unique between active visitors to a web-app?

Session.SessionID <--- that one

I can maybe understand problems creeping in when IIS is being hammered by hundres of thousands of visitors, but this site in question is used by at most three people at a time.
thanks

regards,
Paul Watson
Bluegrass
Cape Town, South Africa

The greatest thing you'll ever learn is just to love, and to be loved in return - Moulin Rouge

Michael P Butler wrote:
Some people fantasise about "real people", others about celebs

Re: ASP.NET and non-unique Session IDs

Michael P Butler3-Jul-02 4:16

Michael P Butler

3-Jul-02 4:16

The only thing I'm aware of is this little bit from MSDN

You should not use the SessionID property to generate primary key values for a database application. This is because if the Web server is restarted, some SessionID values may be the same as those generated before the server was stopped. Instead, you should use an auto-increment column data type, such as IDENTITY with Microsoft® SQL Server, or COUNTER with Microsoft® Access.

which makes sense, but it wouldn't make sense to not have unique session id's whilst the server was running. Unless it's a bug of course.

Michael Smile | :)

Logic, my dear Zoe, merely enables one to be wrong with authority. - The Doctor

Re: ASP.NET and non-unique Session IDs

Paul Watson3-Jul-02 4:59

Paul Watson

3-Jul-02 4:59

Michael P Butler wrote:
Unless it's a bug of course

Thanks Michael, that is the only info I have found on the issue as well.

As for the bug bit, that is what the client is ranting and raving about. We used .NET, but I hardly think even MS would have created a system like ASP.NET which results in non-unique SessionIDs on a low-load app. I can get 10 000 users at once may cause ASP.NET to drop it's pants, but not 3.

Thanks.

I referred to you as a "professional colleague" in my letter to the client Big Grin | :-D

regards,
Paul Watson
Bluegrass
Cape Town, South Africa

The greatest thing you'll ever learn is just to love, and to be loved in return - Moulin Rouge

Michael P Butler wrote:
Some people fantasise about "real people", others about celebs

Re: ASP.NET and non-unique Session IDs

Michael P Butler3-Jul-02 5:14

Michael P Butler

3-Jul-02 5:14

Paul Watson wrote:
I referred to you as a "professional colleague" in my letter to the client

LOL. I've been called a lot of things in my time but never that Wink | ;-)

Michael

Logic, my dear Zoe, merely enables one to be wrong with authority. - The Doctor

Re: ASP.NET and non-unique Session IDs

Chris Rickard3-Jul-02 4:33

Chris Rickard

3-Jul-02 4:33

With the SessionID being a 32bit number it's more likely to issue a duplicate than say a 128bit, but still ultra-unlikely.

The only issues I've ever heard of regarding ASP Sessions are the session cookie hashes being sniffed over the network.

Re: ASP.NET and non-unique Session IDs

Paul Watson3-Jul-02 5:04

Paul Watson

3-Jul-02 5:04

Chris Rickard wrote:
but still ultra-unlikely.

Thanks "professional colleague"* Big Grin | :-D

* read the reply to Michael above

regards,
Paul Watson
Bluegrass
Cape Town, South Africa

The greatest thing you'll ever learn is just to love, and to be loved in return - Moulin Rouge

Michael P Butler wrote:
Some people fantasise about "real people", others about celebs

Re: ASP.NET and non-unique Session IDs

Not Active3-Jul-02 5:18

Not Active

3-Jul-02 5:18

I've seen it that when cookies are disabled on the client browser a new sessionid is generated for each page visit.

Re: ASP.NET and non-unique Session IDs

Jeremy Falcon3-Jul-02 5:57

Jeremy Falcon

3-Jul-02 5:57

I haven't used ASP.NET, but with ASP the Session object relies heavily on cookies to operate. So, this could be a logical conclusion, but personally I haven't seen it happen yet.

If you do have any more info about this, could you please let me know as I am in the middle of rapping up a web app written in ASP that uses this?

Jeremy L. Falcon
Homepage : Sonork = 100.16311

"Victims falling under chains ~ You hear them crying dying pains
The fist of terrors breaking through ~ Now there's nothing you can do"
Song: Phantom Lord - Album: Kill 'em All - Artist: Metallica

PWS + ASP.NET

Mauricio Ritter2-Jul-02 2:10

Mauricio Ritter

2-Jul-02 2:10

Just installed .NET framework on my Windows NT 4.0 Workstation at work. I´ve PWS installed on it, SP6a and MDAC 2.7. The problem is that thw .aspx pages are not being rendered by .net. Anyone facing the same problem ? How can I solve this ?

Mauricio Ritter - Brazil
Sonorking now: 100.13560 Trank

Beer | [beer]

The alcohol is one of the greatest enemys of man, but a man who flee from his enemys is a coward. Beer | [beer]

Re: PWS + ASP.NET

Andy Smith2-Jul-02 6:04

Andy Smith

2-Jul-02 6:04

asp.net is not supported for nt4.

(PHP) A syntax highlighter

Nnamdi Onyeyiri1-Jul-02 10:13

Nnamdi Onyeyiri

1-Jul-02 10:13

i have decided to make a nice an easy admin to my website, so that i do not have to always edit HTML to add more stuff to the site (that way i might actually get ssome content up there), anywaz, i have a script section, and i want to make a script that colourises the code, so i dont have to do it myself, anyone know of one that exists?

p.s. dont forget, i need a php version.

Green Alien | [Alien] Email: theeclypse@hotmail.com URL: http://www.onyeyiri.co.uk

"What goes up must come down. Ask any system administrator"

Re: (PHP) A syntax highlighter

Jeremy Falcon1-Jul-02 10:20

Jeremy Falcon

1-Jul-02 10:20

I like this version of your site much better. Good job!

Jeremy L. Falcon
Homepage : Sonork = 100.16311

"Half the reason people switch away from VB is to find out what actually
goes on.. and then like me they find out that they weren't quite as good
as they thought - they've been nannied." - Alex, 13 June 2002

Re: (PHP) A syntax highlighter

Nnamdi Onyeyiri1-Jul-02 10:22

Nnamdi Onyeyiri

1-Jul-02 10:22

thanks. i started one design, but hated it, then this poped into my head, so i made it. at the mo im practicing my php, by makin an admin for the site, so i can add artwork, downloads, scripts, all by filling in a form, cos my aunt has just got a website, and wants me to make it into a shop

Green Alien | [Alien] Email: theeclypse@hotmail.com URL: http://www.onyeyiri.co.uk

"What goes up must come down. Ask any system administrator"

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.