HTTP Authentication (Basic or Digest) in ASP Classic via IIS [closed]

Question

I want to develop a website in ASP classic that uses HTTP Authentication against a database or password list that is under the control of the script. Ideally, the solution should involve no components or IIS settings as the script should be runnable in a hosted environment.

Any clues/code deeply appreciated.

Answer 1

It is possible to do HTTP Basic Authentication in pure classic ASP VBScript.

You will need something to decode base 64. Here is a pure VBScript implementation. You will also need to make sure that in your IIS config you turn off "Basic authentication" and "Integrated Windows authentication" as these will interfere with what you get back in the HTTP_AUTHORIZATION header.

Here is a sample implementation that just echoes back the user name and password.

<%@LANGUAGE="VBSCRIPT"%>

<!--#include file="decbase64.asp" -->

<%
Sub Unauth()
    Call Response.AddHeader("WWW-Authenticate", "Basic realm=""SomethingGoesHere""")
    Response.Status = "401 Unauthorized"
    Call Response.End()
End Sub

Dim strAuth
strAuth = Request.ServerVariables("HTTP_AUTHORIZATION")

If IsNull(strAuth) Or IsEmpty(strAuth) Or strAuth = "" Then
    Call Unauth
Else 
    %>
    <html>
    <body>
    <% 
        Dim aParts, aCredentials, strType, strBase64, strPlain, strUser, strPassword
        aParts = Split(strAuth, " ")
        If aParts(0) <> "Basic" Then
            Call Unauth
        End If
        strPlain = Base64Decode(aParts(1))
        aCredentials = Split(strPlain, ":")
    %>
    <%= Server.HTMLEncode(aCredentials(0) & " - " & aCredentials(1)) %>
    </body>
    </html>
    <%
End If
%>

Hooking the user name and password up to something meaningful is left as an exercise for the reader.

Answer 2

By definition, HTTP Authentication is something that is requested by the WebServer, I doubt you will find a solution that does not result in no IIS Settings being applied.

The web browser will connect to your web site, and unless your server responds with an HTTP response code HTTP/1.1 401 Unauthorized, the browse will not pass through the credentials.

You could try and force a response code of 401 and set the header

   WWW-Authenticate: Basic realm="SomethingGoesHere"

Then the browser will prompt the user for username and password, but will be sent over clear-text to the browser (base64 encoded), like this:

Authorization: Basic YnJpYW5iOmJvYmJ5Ym95

Which is translated from Base64 to:

brianb:bobbyboy

I don't know if you'll have access to the Authorization header from your ASP page, or if the Web Server is going to freak out because someone is trying to pass credentials to it when its not expecting it, but could be worth a try...