Another function of Request object is the retrieving of HTTP
server variables, and client variables
from the client.
Request.ServerVariables
Collection retrieves the values of predetermined environment variable.
Or in an ASP file. Imply
The parameter "server
environment variable"
is the name of the server environment variable to be retrieved. The data type of
"server environment variable" is string and is enclosed by quotation marks (" "). The
possible values of server environment variable are
| Variable Name |
Description |
|---|
| ALL_HTTP |
All HTTP headers sent by client. |
| ALL_RAW |
All raw data of headers sent by client |
| APP_POOL_ID |
The name of the application pool of the IIS worker process that handling the
request. (Not available in IIS 5.1 and earlier). There is also an APP_POOL_ID
environment variable. |
| APPL_MD_PATH |
The metabase path of the application |
| APPL_PHYSICAL_PATH |
The physical path of the path specified in APPL_MD_PATH |
| AUTH_PASSWORD |
The value in the authentication dialog entered by the client. Variable only
available when Basic authentication is used. |
| AUTH_TYPE |
The authentication method that the server uses to validate users when attempting
to access a protected scipt.
The server allows authentication schemes it does not natively support because an
ISAPI filter may be able to handle that particular scheme. Therefore AUTH_TYPE
contains a value and the authentication scheme is not Basic or integrated
Windows authentication does not mean that the user was authenticated. |
| AUTH_USER |
The user name derived from the authorization header sent by the client, before
the user name is mapped to a Windows account. The variable is same as
REMOTE_USER.
If an authentication filter is installed on the web server for mapping incoming
users to accounts, the mapped user name can be retrieved by LOGON_USER |
| CACHE_URL |
For use in ISAPI applications only. (Not available in IIS 5.1 and earlier). The
unambiguous name for the current URL. It is necessary to use the Unicode version
of this variable in conjuntion with teh kernel mode cache invalidation function
to evict entries placed in the cache by HSE_REQ_VECTOR_SEND.
The server variable "UNICODE_CACHE_URL" is used in conjunction with teh cache
invalidation function retrieved by the HSE_REQ_GET_CACHE_INVALIDATION_CALLBACK
function which invalidates responses cached in HTTP.SYS, whether those responses
are produced by requests or by ISAPIs calling HSE_REQ_VECTOR_SEND |
| CERT_COOKIE |
Unique ID of data type string for the client certificate. This ID can be used as
a signature for the whole client certificate. |
| CERT_FLAGS |
Certificate flags.
bit0 is set to 1 if the client certificate is present.
bit1 is set to 1 if the certifcation authority of the client certificate is
invalid. (or it is not in the list of recognized certification authorities on
the server)
For an invalid certificate with bit1 is set to 1:
IIS 4.0 and later will reject the certificate while earlier IIS versions will
not reject the certificate. |
| CERT_ISSUER |
The issuer field of the client certificate (O=MS, OU=IAS, CN=user name, C=USA) |
| CERT_KEYSIZE |
The number of bits in the Secure Sockets Layer (SSL) connection key size. For
example, 128. |
| CERT_SECRETKEYSIZE |
The number of bits in server certificate private key. For example, 1024 |
| CERT_SERIALNUMBER |
The serial number field of the client certificate. |
| CERT_SERVER_ISSUER |
The issuer field of the server certificate. |
| CERT_SERVER_SUBJECT |
The subject field of the server certificate. |
| CERT_SUBJECT |
The subject field of the client certificate. |
| CONTENT_LENGTH |
The length of the content as given by the client. |
| CONTENT_TYPE |
The data type of the content. Used with queries that have attached information
for further processing , such as the HTTP queries GET, POST, and PUT. |
| GATEWAY_INTERFACE |
The revision of the CGI specification used by the server with format
CGI/revision. |
| HEADER_<HeaderName> |
The value stored in the header <HeaderName>. This is used to retrieve custom
headers other than those header listed in the table. Those header not listed in
the table must be preceded by "HEADER_" in order to be retrieved by the
ServerVariables collection. (Not available in IIS 5.1 and earlier).
Unlike HTTP_<HeaderName> all characters in HEADER_<HeaderName> are interpreted
as-is. For example request header name MY_HEADER is specified by
HEADER_MY_HEADER |
| HTTP_<HeaderName> |
The value stored in the header <HeaderName>. This is used to retrieve custom
headers other than those header listed in the table. Those header not listed in
the table must be preceded by "HTTP_" in order to be retrieved by the
ServerVariables collection.
Unlike HEADER_<HeaderName> The character underscore in <HeaderName> are
interpreted as dash "-" in the actual header name by the server. For example
request header name MY-HEADER is specified by HTTP_MY_HEADER |
| HTTP_ACCEPT |
The list of the accepted format in the Accept header. For example, "image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel". Values of
the fields for the HTTP_ACCEPT variable are concatenated, and separated by a
comma (,). |
| HTTP_ACCEPT_ENCODING |
The list of the accepted encoding types in accept-encoding. For example, "gzip,
deflate" |
| HTTP_ACCEPT_LANGUAGE |
A string describing the language to use for displaying content in
accept-language header. |
| HTTP_CONNECTION |
A string describing the connection type in connection header. For example,
"Keep-Alive" |
| HTTP_COOKIE |
The cookie string in cookie header |
| HTTP_HOST |
The name of the web server. This may or may not be the same as SERVER_NAME
depending on type of name resolution using on the Web server (IP address, host
header). |
| HTTP_METHOD |
The method name used to make the request. (Same as REQUEST_METHOD) |
| HTTP_REFERER |
The string containing the URL of the page that referred the request to the
current page using an HTML <A> tag. URL is the one that typing in the browser
address bar, which may not include the name of a default document.
If the page is redirected, HTTP_REFERER is empty.
HTTP_REFERER is not a mandatory member of the HTTP specification. |
| HTTP_URL |
The string containing the raw, encoded URL, for example,
"/dir/default.asp?querystring" |
| HTTP_USER_AGENT |
The string describing the browser that sent the request |
| HTTP_VERSION |
The name and version of the request protocol. The raw form of SERVER_PROTOCOL |
| HTTPS |
The flag to indicate the request channel. Return ON if the request come in
through a secure channel (for example, SSL). Or return OFF if the request come
in through an insecure channel. |
| HTTPS_KEYSIZE |
The number of bits in the SSL connection key size. For example, 128 |
| HTTPS_SECRETKEYSIZE |
The number of bits in the server certificate private key. For example, 1024 |
| HTTPS_SERVER_ISSUER |
The issuer field of the server certificate. |
| HTTPS_SERVER_SUBJECT |
The subject field of the server certificate |
| INSTANCE_ID |
The ID for the IIS instance in textual format. If the instance ID is 1, it
appears as a string. This variable can be used to retrieve the ID of the Web
SERVER instance (in the metabase) to which the request belongs. |
| INSTANCE_META_PATH |
The metabase path for the instance of IIS that responds to the request. |
| LOCAL_ADDR |
The server address on which the request came in. This is important on computers
where there can be multiple IP addresses bound to the computer for identifying
by which address the request used. |
| LOGON_USER |
The Windows account that the user is impersonating while connected to the web
server. While REMOTE_USER, UNMAPPED_REMOTE_USER, or AUTH_USER can be used to
retrieve the raw user name that is contained in the request header. The
LOGON_USER holds a different value than these other variables only if an
authentication filter is installed. |
| PATH_INFO |
Path information specified by the client. for example, "/dir/myisapi.dll/zip".
If this information comes from a URL, it is decoded by the server before it is
passed to the CGI script or ISAPI filter.
If the AllowPathInfoForScriptMappings metabase property is set to true (to
support exclusive CGI functionality), PATH_INFO will only contain "/zip" and
ISAPI application, such as ASP will break. |
| PATH_TRANSLATED |
The physical path that maps to the virtual path in PATH_INFO, for example, "
c:\inetpub\wwwrot\dir\myisapi.dll". This variable is used by IIS during the
processing of ISAPI applications.
If the AllowPathInfoForScriptMappings metabase property is set to true (to
support exclusive CGI functionality), PATH_INFO will only contain "/zip" and
ISAPI application, such as ASP will break. |
| QUERY_STRING |
The query information stored in the string following the question mark (?) in
the HTTP request. |
| REMOTE_ADDR |
The IP address of the remote host that is making the request. |
| REMOTE_HOST |
The name of the host that is making the request. If the server does not have
this information, the server will set REMOTE_ADDR and leave the REMOTE_HOST
empty. |
| REMOTE_PORT |
The client port number of the TCP connection. |
| REMOTE_USER |
The user name derived from the authorization header sent by the client, before
the user name is mapped to a Windows account. The variable is same as AUTH_USER.
If an authentication filter is installed on the web server for mapping incoming
users to accounts, the mapped user name can be retrieved by LOGON_USER |
| REQUEST_METHOD |
The method used to make th request. For HTTP, this can be GET, HEAD, POST, and
so on. |
| SCRIPT_NAME |
A virtual path to the script being executed, for example, "/dir/default.asp".
This is used for self-referencing URLs. |
| SCRIPT_TRANSLATED |
The canonical physical path to the script listed in SCRIPT_NAME, for example, "\\?\c:\inetpub\wwwroot\dir\default.asp.".
(Not available in IIS 5.1 and earlier) |
| SERVER_NAME |
The server's host name, DNS alias, or IP address as it would appear in
self-referencing URLs. |
| SERVER_PORT |
The server port number to which the request was sent. |
| SERVER_PORT_SECURE |
A string that contains either 0 or 1 to indicate whether the connection is
handled by a secure port. If the request being handled on the secure poth, the
string is 1. Otherwise the string is 0. |
| SERVER_PROTOCOL |
The name and revision of the request information protocol. The format is
protocol/revision. (The canonicalized form of HTTP_VERSION.) |
| SERVER_SOFTWARE |
The name and version of the server software that answers the request and runs
the gateway. The format is name/version. |
| SSI_EXEC_DISABLED |
Returns a 1 if the server-side include directive, #exec, is disabled. Otherwise,
SSI_EXEC_DISABLED returns a 0. To enable or disable, #exec, use the
SSIExecDisable metabase property. (Not available in IIS 5.1 and earlier) |
| UNENCODED_URL |
The string contains the raw, unencoded URL, for example,
"/dir/default.asp?querystring" (Not available in IIS 4.0 and earlier) |
| UNICODE_<ServerVariableName> |
In unicode ISAPI applications only, it is possible to retrieve server variable
values as unicode values by prepending "UNICODE_" to the name of the server
variable, unless the variable starts with "HTTP_" or "HEADER_". (Not available
in IIS 5.1 and earlier) |
| UNMAPPED_REMOTE_USER |
The user name derived from the authorization header sent by the client, before
the user name is mapped to a Windos account (same as REMOTE_USER). If an
authentication filter is installed on the web server for mapping incoming users
to accounts, the mapped user name can be retrieved by LOGON_USER |
| URL |
Gives the base portion of the URL, without any querystring or extra path
information, for example, "/dir/default.asp".
For the raw URL, use HTTP_URL or UNENCODED_URL. |
| URL_PATH_INFO |
Use PATH_INFO instead. (Only available in IIS 5.0) |
Server variables collection are only strings contained in an request headers. The values
of Server variables collection can also be generated by any user. Therefore
Server variables data
in the HTTP header is not a secure way to identify a user. And header data or
user input should be encoded or be validated before using..
There are two ways to retrieve the values of headers that are not specified in
the list of server variables. They are the using of "HEADER_<HeaderName>"
and "HTTP_<HeaderName>" as the variable name by preceding the new header
with "HEADER_" or "HTTP_". They are only different in the interpretation of the
header name as described in the variable name table.
Unlike QueryString Collection, Form collection and Cookies collection, the
server variables collection can only be used to retrieve available information
from the client the header and the web server because IIS cannot create client
headers.
Since the multiple values of
cookie dictionary or cookies collection is in the form of an collection, the values of the keys of a cookie
dictionary or the values of the cookie elements of a cookies collection should be retrieved using a for each element
loop in order to get the name of the element.
Sideway
BICK BLOG from Sideway
