What Is AuthManager?

Commerce Server 2007
For the latest version of Commerce Server 2007 Help, see the Microsoft Web site.

In earlier versions of Microsoft Commerce Server, the AuthManager object was provided to manage user authentication. If you are creating a new Commerce Server application, you should use the Commerce Server Membership Provider to authenticate users, instead of the AuthManager object. AuthManager is provided for backward compatibility only.

For more information about the Commerce Server Membership provider, see What Is the Commerce Server Membership Provider? and How to Enable Logons by Using the Commerce Server Membership Provider.

The AuthManager object identifies users and gathers information that is used for user authentication. The methods and properties of the AuthManager object control and access the contents of cookies and encoded URL strings.

Authentication uses tickets to provide information about the user. A ticket is a string of property/value pairs. AuthManager supports two types of tickets: an MSCSAuth ticket and an MSCSProfile ticket. The following table summarizes the differences between the MSCSAuth ticket and the MSCSProfile ticket.


MSCSAuth ticket

MSCSProfile ticket


Session cookie/encoded URL string

Persistent cookie/encoded URL string

User Type




Unique user ID, last logon time, time window

Unique user ID

In this context, "registered" refers to a user who has successfully completed the registration process for the site.

The AuthManager object provides methods to put the ticket into a cookie or into an encoded URL string, depending on whether cookies are enabled on the client. When you use the AuthManager object together with the AuthFilter ISAPI filter, cookies must be enabled.

For an MSCSAuth ticket, the AuthManager object can check the validity of the ticket using the IsAuthenticated method. The IsAuthenticated method checks whether the request from the user contains an MSCSAuth ticket. If the request does contain an MSCSAuth ticket, the method checks the current time against the last logon time set on the ticket to see whether the logon time is within the time window specified in the ticket. If it is, the method returns True, indicating that this is a valid MSCSAuth ticket. If the current time is within five minutes of the last logon time plus the time window, the last logon time on the ticket is updated to the current time so the active user can continue browsing.


If a user has both an MSCSAuth ticket and an MSCSProfile, the MSCSAuth ticket takes precedence.


The MSCSAuth ticket time-out starts when the user first logs on and is not reset upon subsequent updates. This causes the IsAuthenticated method to return false. If you need the time-out value to be reset upon each refresh of a page, you will have to issue a new ticket every time. However, this can adversely affect performance. If you must reissue a new ticket, make sure that you check whether the user is already authenticated first before issuing a new ticket.

If the user does not allow cookies, the ticket is stored in an encoded URL string. The URL string can be used to pass user information between pages and Web sites, as the AuthManager object generates all the URLs and query strings.

The AuthManager object provides a transparent interface to the tickets, whether they are stored in cookies or in URL query strings, and handles encryption and decryption of the tickets to help ensure security.

The AuthManager object must be used with ASP, because it depends on ASP intrinsic objects. Do not create the AuthManager object in application scope, because it depends on an individual user session. Create and destroy an AuthManager object on each ASP page.