Discussion:
authentication inside ActiveX control
(too old to reply)
Walt Welton-Lair
2004-10-04 15:51:47 UTC
Permalink
I have a simple ActiveX control which uses WinInet to access content via
HTTP. It uses the standard call sequence:
InternetOpen -> InternetOpenUrl -> InternetReadFile
and uses InternetErrorDlg to automatically prompt for user credentials, when
needed.

Now consider the following scenario:
- I use my browser (IE) to access a secure site
- IE prompts me for my credentials, and I log in normally
- I then navigate to a web page on that site which embeds my ActiveX control
- the control uses WinInet, as described above, to access content on that
site

So my question is: will I ever be required to re-enter my credentials?
(Assume that had I made the same request using the parent browser then I
would NOT have been asked to re-authenticate.) Part of me says yes, because
the control is opening its own new connection via InternetOpen. Another
part of me says no, because it's opening the connection in the context of
the browser which is already authenticated.

I did try this using a web service that uses basic authentication, and
didn't have to re-renter my credentials. That's good, but I'm not yet
convinced it will work in all situations. I'm new to WinInet and don't yet
know what it's doing under the covers. I was told that once I'm
authenticated for a particular site then any new connections made to that
site using WinInet will not require re-authentication as long as they're
made as part of the same process. If that's true then it seems I'm ok in my
situation, since the ActiveX control runs in the same process as the parent
browser. Can anyone confirm this? Is the behavior documented anywhere?

Thanks in advance.
Walt
Stephen Sulzer
2004-10-05 10:49:46 UTC
Permalink
The internal workings of WinInet are mostly undocumented. I do not think you
will find any official documentation describing how WinInet manages
authentication credentials.

WinInet does implement an in-memory process-wide credential cache. So
WinInet will share credentials across multiple InternetOpen session contexts
within the process. (So your ActiveX control can share credentials with
Internet Explorer.)

Credentials are cached more specifically than just to a "site". In addition
to server name, credentials are keyed on the port and URL path (but not
resource/object name). So, for example, if you authenticate a request to
http://abc/def/foo.html, then a request to http://abc/def/xyz/bar.html would
not require authentication, but a request to http://abc/baz.html might.
Also, with Basic and Digest authentication, the "Realm" may also be
significant (e.g., another attribute on which WinInet may key cached
credentials).

WinInet's in-memory credential cache may be flushed by calling
InternetSetOption(NULL, INTERNET_OPTION_END_BROWSER_SESSION, NULL, 0).

So the summary is that WinInet does cache credentials in-memory, but it
could be risky to assume in your component that no more authentication
challenges will be encountered.

Stephen
Post by Walt Welton-Lair
I have a simple ActiveX control which uses WinInet to access content via
InternetOpen -> InternetOpenUrl -> InternetReadFile
and uses InternetErrorDlg to automatically prompt for user credentials, when
needed.
- I use my browser (IE) to access a secure site
- IE prompts me for my credentials, and I log in normally
- I then navigate to a web page on that site which embeds my ActiveX control
- the control uses WinInet, as described above, to access content on that
site
So my question is: will I ever be required to re-enter my credentials?
(Assume that had I made the same request using the parent browser then I
would NOT have been asked to re-authenticate.) Part of me says yes, because
the control is opening its own new connection via InternetOpen. Another
part of me says no, because it's opening the connection in the context of
the browser which is already authenticated.
I did try this using a web service that uses basic authentication, and
didn't have to re-renter my credentials. That's good, but I'm not yet
convinced it will work in all situations. I'm new to WinInet and don't yet
know what it's doing under the covers. I was told that once I'm
authenticated for a particular site then any new connections made to that
site using WinInet will not require re-authentication as long as they're
made as part of the same process. If that's true then it seems I'm ok in my
situation, since the ActiveX control runs in the same process as the parent
browser. Can anyone confirm this? Is the behavior documented anywhere?
Thanks in advance.
Walt
Walt Welton-Lair
2004-10-06 19:08:07 UTC
Permalink
Thanks for the response, Stephen - very helpful.
Post by Stephen Sulzer
The internal workings of WinInet are mostly undocumented. I do not think you
will find any official documentation describing how WinInet manages
authentication credentials.
WinInet does implement an in-memory process-wide credential cache. So
WinInet will share credentials across multiple InternetOpen session contexts
within the process. (So your ActiveX control can share credentials with
Internet Explorer.)
Credentials are cached more specifically than just to a "site". In addition
to server name, credentials are keyed on the port and URL path (but not
resource/object name). So, for example, if you authenticate a request to
http://abc/def/foo.html, then a request to http://abc/def/xyz/bar.html would
not require authentication, but a request to http://abc/baz.html might.
Also, with Basic and Digest authentication, the "Realm" may also be
significant (e.g., another attribute on which WinInet may key cached
credentials).
WinInet's in-memory credential cache may be flushed by calling
InternetSetOption(NULL, INTERNET_OPTION_END_BROWSER_SESSION, NULL, 0).
So the summary is that WinInet does cache credentials in-memory, but it
could be risky to assume in your component that no more authentication
challenges will be encountered.
Stephen
Post by Walt Welton-Lair
I have a simple ActiveX control which uses WinInet to access content via
InternetOpen -> InternetOpenUrl -> InternetReadFile
and uses InternetErrorDlg to automatically prompt for user credentials,
when
Post by Walt Welton-Lair
needed.
- I use my browser (IE) to access a secure site
- IE prompts me for my credentials, and I log in normally
- I then navigate to a web page on that site which embeds my ActiveX
control
Post by Walt Welton-Lair
- the control uses WinInet, as described above, to access content on that
site
So my question is: will I ever be required to re-enter my credentials?
(Assume that had I made the same request using the parent browser then I
would NOT have been asked to re-authenticate.) Part of me says yes,
because
Post by Walt Welton-Lair
the control is opening its own new connection via InternetOpen. Another
part of me says no, because it's opening the connection in the context of
the browser which is already authenticated.
I did try this using a web service that uses basic authentication, and
didn't have to re-renter my credentials. That's good, but I'm not yet
convinced it will work in all situations. I'm new to WinInet and don't
yet
Post by Walt Welton-Lair
know what it's doing under the covers. I was told that once I'm
authenticated for a particular site then any new connections made to that
site using WinInet will not require re-authentication as long as they're
made as part of the same process. If that's true then it seems I'm ok in
my
Post by Walt Welton-Lair
situation, since the ActiveX control runs in the same process as the
parent
Post by Walt Welton-Lair
browser. Can anyone confirm this? Is the behavior documented anywhere?
Thanks in advance.
Walt
Loading...