The ServerVariables collection retrieves the values of predetermined environment variables and request header information.
It is possible for malicious user to manipulate header values. As a security precaution, always encode request data before using it. A general method of encoding data is to use Server.HTMLEncode. Another method is to write a short function that tests request data for invalid characters. More information can be found by reading chapter 12 of Writing Secure Code, and using Checklist: ASP Security when you create your ASP applications.
Request.ServerVariables (server environment variable)
- server environment variable
- Specifies the name of the server environment variable to
retrieve. It can be one of the following values.
Variable Description ALL_HTTP All HTTP headers sent by the client. ALL_RAW Retrieves all headers in raw form. The difference between ALL_RAW and ALL_HTTP is that ALL_HTTP places an HTTP_ prefix before the header name and the header name is always capitalized. In ALL_RAW the header name and values appear as they are sent by the client. APPL_MD_PATH Retrieves the metabase path for the Application for the ISAPI DLL. APPL_PHYSICAL_PATH Retrieves the physical path corresponding to the metabase path. IIS converts the APPL_MD_PATH to the physical (directory) path to return this value. AUTH_PASSWORD The value entered in the client's authentication dialog. This variable is available only if Basic authentication is used. AUTH_TYPE The authentication method that the server uses to validate users when they attempt to access a protected script. AUTH_USER The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. This variable is no different from REMOTE_USER. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name. CERT_COOKIE Unique ID for the client certificate, returned as a string. This can be used as a signature for the whole client certificate. CERT_FLAGS bit0 is set to 1 if the client certificate is present.
bit1 is set to 1 if the certification authority of the client certificate is invalid (that is, it is not in the list of recognized certification authorities on the server).
CERT_ISSUER Issuer field of the client certificate (O=MS, OU=IAS, CN=user name, C=USA). CERT_KEYSIZE Number of bits in the Secure Sockets Layer (SSL) connection key size. For example, 128. CERT_SECRETKEYSIZE Number of bits in server certificate private key. For example, 1024. CERT_SERIALNUMBER Serial number field of the client certificate. CERT_SERVER_ISSUER Issuer field of the server certificate. CERT_SERVER_SUBJECT Subject field of the server certificate. CERT_SUBJECT Subject field of the client certificate. CONTENT_LENGTH The length of the content as given by the client. CONTENT_TYPE The data type of the content. Used with queries that have attached information, such as the HTTP queries GET, POST, and PUT. GATEWAY_INTERFACE The revision of the CGI specification used by the server. The format is CGI/revision. HEADER_<HeaderName> The value stored in the header HeaderName. Any header other than those listed in this table must be preceded by "HEADER_" in order for the ServerVariables collection to retrieve its value. This is useful for retrieving custom headers.
Note Unlike HTTP_<HeaderName>, all characters in HEADER_<HeaderName> are interpreted as-is. For example, if you specify HTTP_MY_HEADER, the server searches for a request header named MY_HEADER.
HTTP_<HeaderName> The value stored in the header HeaderName. Any header other than those listed in this table must be preceded by "HTTP_" in order for the ServerVariables collection to retrieve its value. This is useful for retrieving custom headers.
Note The server interprets any underscore (_) characters in HeaderName as dashes in the actual header. For example, if you specify HTTP_MY_HEADER, the server searches for a request header named MY-HEADER.
HTTPS Returns ON if the request came in through a secure channel (for example, SSL); or it returns OFF, if the request is for an insecure channel. HTTPS_KEYSIZE Number of bits in the SSL connection key size. For example, 128. HTTPS_SECRETKEYSIZE Number of bits in the server certificate private key. For example, 1024. HTTPS_SERVER_ISSUER Issuer field of the server certificate. HTTPS_SERVER_SUBJECT Subject field of the server certificate. INSTANCE_ID The ID for the IIS instance in textual format. If the instance ID is 1, it appears as a string. You can use this variable to retrieve the ID of the Web server instance (in the metabase) to which the request belongs. INSTANCE_META_PATH The metabase path for the instance of IIS that responds to the request. LOCAL_ADDR Returns the server address on which the request came in. This is important on computers where there can be multiple IP addresses bound to the computer, and you want to find out which address the request used. LOGON_USER The Windows account that the user is impersonating while connected to your Web server. Use REMOTE_USER, UNMAPPED_REMOTE_USER, or AUTH_USER to view the raw user name that is contained in the request header. The only time LOGON_USER holds a different value than these other variables is if you have an authentication filter installed. PATH_INFO Extra path information, as given by the client. You can access scripts by using their virtual path and the PATH_INFO server variable. If this information comes from a URL, it is decoded by the server before it is passed to the CGI script. PATH_TRANSLATED A translated version of PATH_INFO that takes the path and performs any necessary virtual-to-physical mapping. QUERY_STRING Query information stored in the string following the question mark (?) in the HTTP request. REMOTE_ADDR The IP address of the remote host that is making the request. REMOTE_HOST The name of the host that is making the request. If the server does not have this information, it will set REMOTE_ADDR and leave this empty. REMOTE_PORT The client port number of the TCP connection. REMOTE_USER The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name. REQUEST_METHOD The method used to make the request. For HTTP, this can be GET, HEAD, POST, and so on. SCRIPT_NAME A virtual path to the script being executed. This is used for self-referencing URLs. SERVER_NAME The server's host name, DNS alias, or IP address as it would appear in self-referencing URLs. SERVER_PORT The server port number to which the request was sent. SERVER_PORT_SECURE A string that contains either 0 or 1. If the request is being handled on the secure port, then this is 1. Otherwise, it is 0. SERVER_PROTOCOL The name and revision of the request information protocol. The format is protocol/revision. SERVER_SOFTWARE The name and version of the server software that answers the request and runs the gateway. The format is name/version. URL Gives the base portion of the URL.
If a client sends a header other than those specified in the preceding table, you can retrieve the value of that header by preceding the header name with "HTTP_" in the call to Request.ServerVariables. For example, if the client sends the following header:
You can retrieve
SomeNewValue by using the
<% Request.ServerVariables("HTTP_SomeNewHeader") %>
The following example displays several server variables by name:
<HTML> <!-- This example displays the content of several ServerVariables. --> ALL_HTTP server variable = <%= Request.ServerVariables("ALL_HTTP") %> <BR> CONTENT_LENGTH server variable = <%= Request.ServerVariables("CONTENT_LENGTH") %> <BR> CONTENT_TYPE server variable = <%= Request.ServerVariables("CONTENT_TYPE") %> <BR> QUERY_STRING server variable = <%= Request.ServerVariables("QUERY_STRING") %> <BR> SERVER_SOFTWARE server variable = <%= Request.ServerVariables("SERVER_SOFTWARE") %> <BR> </HTML>
The following example uses the VBScript For Each loop to iterate through each existing server variable name. Some will be empty if you have Anonymous Access enabled. The following script lists all of the server variables in a table:
<TABLE BORDER="1"> <TR><TD><B>Server Variable</B></TD><TD><B>Value</B></TD></TR> <% For Each strKey In Request.ServerVariables %> <TR> <TD><%= strKey %></TD> <TD><%= Request.ServerVariables(strKey) %></TD> </TR> <% Next %> </TABLE>
The following example inserts the name of the server to a hyperlink.
<A HREF= "http://<%=Request.ServerVariables("SERVER_NAME")%>/scripts/MyPage.asp"> Link to MyPage.asp </A>
Caution It is wise to not trust information in headers when security decisions must be made, as this information may be falsified. For more detailed information, see MS Press - Writing Secure Code