HOWTO: Getting User Name and Password in ISAPI or CGI App

 Last reviewed: May 20, 1997
Article ID: Q140964

The information in this article applies to:
  • Microsoft Internet Information Server, version 1.0

SUMMARY

This article explains how to retrieve values for the user name and password in an ISAPI or CGI application.

MORE INFORMATION

The user name and password values can be retrieved in the ISAPI/CGI, according to the following rules.

The user name can only be retrieved when either Basic authentication scheme or Microsoft Windows NT Challenge/Response schemes are used. You can get the name by using the server variable, REMOTE_USER.

In ISAPI you can use GetServerVariable() API, and in CGI you can use getenv() C run-time function.

The following sample code can be used to get the server variable:

.... 

// This will fail with ERROR_INSUFFICIENT_BUFFER,
// since we supplied NULL buffer. As a result, dwLength will
// indicate the size of the buffer to allocate
if (!pECB -> GetServerVariable (pECB -> ConnID, 
                           "REMOTE_USER",
                           NULL,
                           &dwLength) )
{
    // Handle error other then ERROR_INSUFFICIENT_BUFFER here.
} lpszVar= (CHAR *) LocalAlloc (LPTR, dwLen); if ( !pECB -> GetServerVariable (pECB -> ConnID, 
                                 "REMOTE_USER",
                                 lpszVar,
                                 &dwLength))
{
    // Handle error here
} ....

The user password can only be retrieved when Basic authentication scheme is used. The password is not available with the Windows NT Challenge/Response scheme, because the password never gets transmitted on the network.

To retrieve the password with the Basic authentication scheme, you need to parse it out from the HTTP_AUTHORIZATION server variable, which sets from HTTP Authorization header. HTTP_AUTHORIZATION has the following value: 

   Basic xxxxxxxxxxxxxxx
where Basic is an authentication scheme used, then it is followed by a space, and "xxxxxxxxxxxxxxx" is UUENCODED string for "User-Name:User- Password" pair separated by the semicolon.

Notes:

  • The UUENCODE and UUDECODE routines are available from many public sources.
  • The user password can not be retrieved via REMOTE_PASS server variable.
  • In the IIS Filter application, the password (if available) can be retrieved in clear text from the HTTP_FILTER_AUTHENT structure: 

          typedef struct _HTTP_FILTER_AUTHENT
      {

              CHAR *    pszUser;
          DWORD    cbUserBuff;
          CHAR *    pszPassword;
          DWORD    cbPasswordBuff;
      } HTTP_FILTER_AUTHENT, *PHTTP_FILTER_AUTHENT;


For additional information, please see the HTTP protocol spec, available on
http://www.w3.org.
 

	
			
	















	






Keywords            : IISAPI kbnetwork

Technology          : kbInetDev

Version             : 1.0

Platform            : NT WINDOWS

Issue type          : kbhowto








THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.






	
	Last reviewed:  May 20, 1997
	

	© 1998 Microsoft Corporation. All rights reserved. Terms of Use.