I want to develop a website in ASP classic that uses HTTP Authentication against a database or password list that is under the control of the script. Ideally, the solution should involve no components or IIS settings as the script should be runnable in a hosted environment.
Any clues/code deeply appreciated.
It is possible to do HTTP Basic Authentication in pure classic ASP VBScript.
You will need something to decode base 64. Here is a pure VBScript implementation. You will also need to make sure that in your IIS config you turn off "Basic authentication" and "Integrated Windows authentication" as these will interfere with what you get back in the HTTP_AUTHORIZATION header.
Here is a sample implementation that just echoes back the user name and password.
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="decbase64.asp" -->
<%
Sub Unauth()
Call Response.AddHeader("WWW-Authenticate", "Basic realm=""SomethingGoesHere""")
Response.Status = "401 Unauthorized"
Call Response.End()
End Sub
Dim strAuth
strAuth = Request.ServerVariables("HTTP_AUTHORIZATION")
If IsNull(strAuth) Or IsEmpty(strAuth) Or strAuth = "" Then
Call Unauth
Else
%>
<html>
<body>
<%
Dim aParts, aCredentials, strType, strBase64, strPlain, strUser, strPassword
aParts = Split(strAuth, " ")
If aParts(0) <> "Basic" Then
Call Unauth
End If
strPlain = Base64Decode(aParts(1))
aCredentials = Split(strPlain, ":")
%>
<%= Server.HTMLEncode(aCredentials(0) & " - " & aCredentials(1)) %>
</body>
</html>
<%
End If
%>
Hooking the user name and password up to something meaningful is left as an exercise for the reader.
By definition, HTTP Authentication is something that is requested by the WebServer, I doubt you will find a solution that does not result in no IIS Settings being applied.
The web browser will connect to your web site, and unless your server responds with an HTTP response code HTTP/1.1 401 Unauthorized, the browse will not pass through the credentials.
You could try and force a response code of 401 and set the header
WWW-Authenticate: Basic realm="SomethingGoesHere"
Then the browser will prompt the user for username and password, but will be sent over clear-text to the browser (base64 encoded), like this:
Authorization: Basic YnJpYW5iOmJvYmJ5Ym95
Which is translated from Base64 to:
brianb:bobbyboy
I don't know if you'll have access to the Authorization header from your ASP page, or if the Web Server is going to freak out because someone is trying to pass credentials to it when its not expecting it, but could be worth a try...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With