Included on this page:

• What is the Pubcookie ISAPI Filter?
• Functionality Review
• Authentication Interfaces
• Authorization Issues
• IIS Server Variables
• Logging

What is the Pubcookie ISAPI Filter?

The Pubcookie ISAPI filter uses the Internet Server Application Programming Interface (ISAPI) and the OpenSSL cryptography library to add Pubcookie-based authentication to Microsoft Internet Information Services. The Pubcookie filter specifically implements the application server component of Pubcookie. It is written in C.

Functionality Review

The Pubcookie filter provides the following functionality:

• user authentication via a separate Pubcookie login server
• per-application authentication session management
• per-application inactivity and hard timeouts
• per-application logout
• logging

This functionality can be configured server-wide or on a per-application basis via the filter's registry settings.

Authentication Interfaces

The Pubcookie filter is controlled through properties set in the Windows registry. Authentication is specifically controlled by setting the AuthType property, which, depending on the layout of the application on the filesystem and where authentication is needed, might be applied to an entire website, a folder, or just a single .asp file.

The Pubcookie filter uses the HTTP_PUBCOOKIE_USER server variable to make each authenticated user's identity (usually, a username) available to applications.

Authorization Issues

Pubcookie provides authentication not authorization: it identifies who someone is, not what he or she is permitted to do. Therefore, after authenticating a user, the Pubcookie filter's job is done, and it's up to individual applications to decide what to do next. In practice, application developers use ASP or Global.asa files to implement authorization based on the user identity presented to them by the Pubcookie filter.

IIS Server Variables

The Pubcookie filter sets the following IIS server variables:

Server Variable	Description
HTTP_PUBCOOKIE_USER	authenticated user's identity
HTTP_PUBCOOKIE_VERSION	Pubcookie filter version
HTTP_PUBCOOKIE_APPID	first folder name from webroot
HTTP_PUBCOOKIE_CREDS	Pubcookie credential level (i.e. auth type)
HTTP_PUBCOOKIE_SERVER	hostname of the application server

Logging

The Pubcookie filter logs startup, terminate, and error messages in the System event log under the W3SVC source. These messages reflect the Windows account assigned to handle a request (if one is assigned) not the remote user identity.