Sideway BICK BlogSideway BICK BLOG from Sideway

A Sideway to Sideway Home

Link:http://output.to/sideway/default.asp?qno=120200020

ServerVariables

Request Object

Another function of Request object is the retrieving of HTTP server variables, and client variables from the client.

Request.ServerVariables Collection

Request.ServerVariables Collection retrieves the values of predetermined environment variable.

Syntax:

Request.ServerVariables( server environment variable )

 Or in an ASP file. Imply

<% Request.ServerVariables( server environment variable ) %>

Parameters:

server environment variable

The parameter "server environment variable" is the name of the server environment variable to be retrieved. The data type of "server environment variable" is string and is enclosed by quotation marks (" "). The possible values of server environment variable are

Variable Name Description
ALL_HTTP All HTTP headers sent by client.
ALL_RAW All raw data of headers sent by client
APP_POOL_ID The name of the application pool of the IIS worker process that handling the request. (Not available in IIS 5.1 and earlier). There is also an APP_POOL_ID environment variable.
APPL_MD_PATH The metabase path of the application
APPL_PHYSICAL_PATH The physical path of the path specified in APPL_MD_PATH
AUTH_PASSWORD The value in the authentication dialog entered by the client. Variable only available when Basic authentication is used.
AUTH_TYPE The authentication method that the server uses to validate users when attempting to access a protected scipt.
The server allows authentication schemes it does not natively support because an ISAPI filter may be able to handle that particular scheme. Therefore AUTH_TYPE contains a value and the authentication scheme is not Basic or integrated Windows authentication does not mean that the user was authenticated.
AUTH_USER The user name derived from the authorization header sent by the client, before the user name is mapped to a Windows account. The variable is same as REMOTE_USER.
If an authentication filter is installed on the web server for mapping incoming users to accounts, the mapped user name can be retrieved by LOGON_USER
CACHE_URL For use in ISAPI applications only. (Not available in IIS 5.1 and earlier). The unambiguous name for the current URL. It is necessary to use the Unicode version of this variable in conjuntion with teh kernel mode cache invalidation function to evict entries placed in the cache by HSE_REQ_VECTOR_SEND.
The server variable "UNICODE_CACHE_URL" is used in conjunction with teh cache invalidation function retrieved by the HSE_REQ_GET_CACHE_INVALIDATION_CALLBACK function which invalidates responses cached in HTTP.SYS, whether those responses are produced by requests or by ISAPIs calling HSE_REQ_VECTOR_SEND
CERT_COOKIE Unique ID of data type string for the client certificate. This ID can be used as a signature for the whole client certificate.
CERT_FLAGS Certificate flags.
bit0 is set to 1 if the client certificate is present.
bit1 is set to 1 if the certifcation authority of the client certificate is invalid. (or it is not in the list of recognized certification authorities on the server)
For an invalid certificate with bit1 is set to 1:
IIS 4.0 and later will reject the certificate while earlier IIS versions will not reject the certificate.
CERT_ISSUER The issuer field of the client certificate (O=MS, OU=IAS, CN=user name, C=USA)
CERT_KEYSIZE The number of bits in the Secure Sockets Layer (SSL) connection key size. For example, 128.
CERT_SECRETKEYSIZE The number of bits in server certificate private key. For example, 1024
CERT_SERIALNUMBER The serial number field of the client certificate.
CERT_SERVER_ISSUER The issuer field of the server certificate.
CERT_SERVER_SUBJECT The subject field of the server certificate.
CERT_SUBJECT The subject field of the client certificate.
CONTENT_LENGTH The length of the content as given by the client.
CONTENT_TYPE The data type of the content. Used with queries that have attached information for further processing , such as the HTTP queries GET, POST, and PUT.
GATEWAY_INTERFACE The revision of the CGI specification used by the server with format CGI/revision.
HEADER_<HeaderName> The value stored in the header <HeaderName>. This is used to retrieve custom headers other than those header listed in the table. Those header not listed in the table must be preceded by "HEADER_" in order to be retrieved by the ServerVariables collection. (Not available in IIS 5.1 and earlier).
Unlike HTTP_<HeaderName> all characters in HEADER_<HeaderName> are interpreted as-is. For example  request header name MY_HEADER is specified by HEADER_MY_HEADER
HTTP_<HeaderName> The value stored in the header <HeaderName>. This is used to retrieve custom headers other than those header listed in the table. Those header not listed in the table must be preceded by "HTTP_" in order to be retrieved by the ServerVariables collection.
Unlike HEADER_<HeaderName> The character underscore in <HeaderName> are interpreted as dash "-" in the actual header name by the server. For example  request header name MY-HEADER is specified by HTTP_MY_HEADER
HTTP_ACCEPT The list of the accepted format in the Accept header. For example, "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel". Values of the fields for the HTTP_ACCEPT variable are concatenated, and separated by a comma (,).
HTTP_ACCEPT_ENCODING The list of the accepted encoding types in accept-encoding. For example, "gzip, deflate"
HTTP_ACCEPT_LANGUAGE A string describing the language to use for displaying content in accept-language header.
HTTP_CONNECTION A string describing the connection type in connection header. For example, "Keep-Alive"
HTTP_COOKIE The cookie string in cookie header
HTTP_HOST The name of the web server. This may or may not be the same as SERVER_NAME depending on type of name resolution using on the Web server (IP address, host header).
HTTP_METHOD The method name used to make the request. (Same as REQUEST_METHOD)
HTTP_REFERER The string containing the URL of the page that referred the request to the current page using an HTML <A> tag. URL is the one that typing in the browser address bar, which may not include the name of a default document.
If the page is redirected, HTTP_REFERER is empty.
HTTP_REFERER is not a mandatory member of the HTTP specification.
HTTP_URL The string containing the raw, encoded URL, for example, "/dir/default.asp?querystring"
HTTP_USER_AGENT The string describing the browser that sent the request
HTTP_VERSION The name and version of the request protocol. The raw form of SERVER_PROTOCOL
HTTPS The flag to indicate the request channel. Return ON if the request come in through a secure channel (for example, SSL). Or return OFF if the request come in through an insecure channel. 
HTTPS_KEYSIZE The number of bits in the SSL connection key size. For example, 128
HTTPS_SECRETKEYSIZE The number of bits in the server certificate private key. For example, 1024
HTTPS_SERVER_ISSUER The issuer field of the server certificate.
HTTPS_SERVER_SUBJECT The subject field of the server certificate
INSTANCE_ID The ID for the IIS instance in textual format. If the instance ID is 1, it appears as a string. This variable can be used to retrieve the ID of the Web SERVER instance (in the metabase) to which the request belongs.
INSTANCE_META_PATH The metabase path for the instance of IIS that responds to the request.
LOCAL_ADDR The server address on which the request came in. This is important on computers where there can be multiple IP addresses bound to the computer for identifying by which address the request used.
LOGON_USER The Windows account that the user is impersonating while connected to the web server. While REMOTE_USER, UNMAPPED_REMOTE_USER, or AUTH_USER can be used to retrieve the raw user name that is contained in the request header. The LOGON_USER holds a different value than these other variables only if an authentication filter is installed.
PATH_INFO Path information specified by the client. for example, "/dir/myisapi.dll/zip". If this information comes from a URL, it is decoded by the server before it is passed to the CGI script or ISAPI filter.
If the AllowPathInfoForScriptMappings metabase property is set to true (to support exclusive CGI functionality), PATH_INFO will only contain "/zip" and ISAPI application, such as ASP will break.
PATH_TRANSLATED The physical path that maps to the virtual path in PATH_INFO, for example, " c:\inetpub\wwwrot\dir\myisapi.dll". This variable is used by IIS during the processing of ISAPI applications.
If the AllowPathInfoForScriptMappings metabase property is set to true (to support exclusive CGI functionality), PATH_INFO will only contain "/zip" and ISAPI application, such as ASP will break.
QUERY_STRING The query information stored in the string following the question mark (?) in the HTTP request.
REMOTE_ADDR The IP address of the remote host that is making the request.
REMOTE_HOST The name of the host that is making the request. If the server does not have this information, the server will set REMOTE_ADDR and leave the REMOTE_HOST empty.
REMOTE_PORT The client port number of the TCP connection.
REMOTE_USER The user name derived from the authorization header sent by the client, before the user name is mapped to a Windows account. The variable is same as AUTH_USER.
If an authentication filter is installed on the web server for mapping incoming users to accounts, the mapped user name can be retrieved by LOGON_USER
REQUEST_METHOD The method used to make th request. For HTTP, this can be GET, HEAD, POST, and so on.
SCRIPT_NAME A virtual path to the script being executed, for example, "/dir/default.asp". This is used for self-referencing URLs.
SCRIPT_TRANSLATED The canonical physical path to the script listed in SCRIPT_NAME, for example, "\\?\c:\inetpub\wwwroot\dir\default.asp.". (Not available in IIS 5.1 and earlier)
SERVER_NAME The server's host name, DNS alias, or IP address as it would appear in self-referencing URLs.
SERVER_PORT The server port number to which the request was sent.
SERVER_PORT_SECURE A string that contains either 0 or 1 to indicate whether the connection is handled by a secure port. If the request being handled on the secure poth, the string is 1. Otherwise the string is 0.
SERVER_PROTOCOL The name and revision of the request information protocol. The format is protocol/revision. (The canonicalized form of HTTP_VERSION.)
SERVER_SOFTWARE The name and version of the server software that answers the request and runs the gateway. The format is name/version.
SSI_EXEC_DISABLED Returns a 1 if the server-side include directive, #exec, is disabled. Otherwise, SSI_EXEC_DISABLED returns a 0. To enable or disable, #exec, use the SSIExecDisable metabase property. (Not available in IIS 5.1 and earlier)
UNENCODED_URL The string contains the raw, unencoded URL, for example, "/dir/default.asp?querystring" (Not available in IIS 4.0 and earlier)
UNICODE_<ServerVariableName> In unicode ISAPI applications only, it is possible to retrieve server variable values as unicode values by prepending "UNICODE_" to the name of the server variable, unless the variable starts with "HTTP_" or "HEADER_". (Not available in IIS 5.1 and earlier)
UNMAPPED_REMOTE_USER The user name derived from the authorization header sent by the client, before the user name is mapped to a Windos account (same as REMOTE_USER).  If an authentication filter is installed on the web server for mapping incoming users to accounts, the mapped user name can be retrieved by LOGON_USER
URL Gives the base portion of the URL, without any querystring or extra path information, for example, "/dir/default.asp".
For the raw URL, use HTTP_URL or UNENCODED_URL.
URL_PATH_INFO Use PATH_INFO instead. (Only available in IIS 5.0)

Remarks:

Server variables collection are only strings contained in an request headers. The values of Server variables collection can also be generated by any user. Therefore Server variables data in the HTTP header is not a secure way to identify a user. And header data or user input should be encoded or be validated before using..

There are two ways to retrieve the values of headers that are not specified in the list of server variables. They are the using of "HEADER_<HeaderName>" and "HTTP_<HeaderName>" as the variable name by preceding the new header with "HEADER_" or "HTTP_". They are only different in the interpretation of the header name as described in the variable name table.

Unlike QueryString Collection, Form collection and Cookies collection, the server variables collection can only be used to retrieve available information from the client the header and the web server because IIS cannot create client headers.

Since the multiple values of cookie dictionary or cookies collection is in the form of an collection, the values of the keys of a cookie dictionary or the values of the cookie elements of a cookies collection should be retrieved using a for each element loop in order to get the name of the element.

Examples:

  • Retrieve of all HTTP headers sent by client in a string

    ASP script command:

    <%
    Response.Write Request.ServerVariables("ALL_HTTP") & "<br />"
    %>

  • Retrieve of all raw data of headers sent by client in a string

    ASP script command:

    <%
    Response.Write Request.ServerVariables("ALL_RAW") & "<br />"
    %>

  • Retrieve value of custom headers with name "HeaderName" sent by client

    ASP script command:

    <%
    Response.Write Request.ServerVariables("HEADER_HeaderName") & "<br />"
    %>

    ASP script command:

    <%
    Response.Write Request.ServerVariables("HTTP_HeaderName") & "<br />"
    %>

  • Retrieve client header by name of ServerVariables in ServerVariables Collection

    ASP script command:

    <%
    Response.Write "CONTENT-LENGTH: " & _
    Request.ServerVariables("CONTENT_LENGTH") & "<br />"
    %>

    ASP script command:

    <%
    Response.Write "CONTENT-TYPE: " & _
    Request.ServerVariables("CONTENT_TYPE") & "<br />"
    %>

    ASP script command:

    <%
    Response.Write "ACCEPT: " & _
    Request.ServerVariables("HTTP_ACCEPT") & "<br />"
    %>

    ASP script command:

    <%
    Response.Write "ACCEPT-ENCODING: " & _
    Request.ServerVariables("HTTP_ACCEPT_ENCODING") & "<br />"
    %>

    ASP script command:

    <%
    Response.Write "ACCEPT-LANGUAGE: " & _
    Request.ServerVariables("HTTP_ACCEPT_LANGUAGE") & "<br />"
    %>

    ASP script command:

    <%
    %Response.Write "CONNECTION: " & _
    Request.ServerVariables("HTTP_CONNECTION") & "<br />"
    %>

    ASP script command:

    <%
    Response.Write "COOKIE: " & _
    Request.ServerVariables("HTTP_COOKIE") & "<br />"
    %>

    ASP script command:mmand:

    <%
    Response.Write "METHOD: " & _
    Request.ServerVariables("HTTP_METHOD") & "<br />"
    %>

    ASP script command:

    <%
    Response.Write "REFERER: " & _
    Request.ServerVariables("HTTP_REFERER") & "<br />"
    %>

    ASP script command:

    <%
    Response.Write "USER_AGENT: " & _
    Request.ServerVariables("HTTP_USER_AGENT") & "<br />"
    %>

  • Path or URL information in ServerVariables Collection

    ASP script command:

    <%
    ' e.g.;  sideway.to
    Response.Write "HOST: " & _
    Request.ServerVariables("HTTP_HOST") & "<br />"
    %>

    ASP script command:

    <%
    ' e.g.;  /dir/default.asp?querystring=value
    Response.Write "HTTP_URL: " & _
    Request.ServerVariables("HTTP_URL") & "<br />"
    %>

    ASP script command:

    <%
    ' e.g.;  /dir/default.asp?querystring=value
    Response.Write "UNENCODED_URL: " & _
    Request.ServerVariables("UNENCODED_URL") & "<br />"
    %>

    ASP script command:

    <%
    ' e.g.;  /dir/default.asp
    Response.Write "URL: " & _
    Request.ServerVariables("URL") & "<br />"
    %>

    ASP script command:

    <%
    ' e.g.;  /dir/default.asp
    Response.Write "PATH_INFO: " & _
    Request.ServerVariables("PATH_INFO") & "<br />"
    %>

    ASP script command:

    <%
    ' e.g.;  c:\webroot\dir\default.asp
    Response.Write "PATH_TRANSLATED: " & _
    Request.ServerVariables("PATH_TRANSLATED") & "<br />"
    %>

    ASP script command:

    <%
    ' e.g.;  querystring=value
    Response.Write "QUERY_STRING: " & _
    Request.ServerVariables("QUERY_STRING") & "<br />"
    %>

  • Loop for all ServerVariables in ServerVariables Collection by item

    ASP script command:

    <%
    For Each item in Request.ServerVariables
    Response.Write item & ": "& Request.ServerVariables(item) & "<br />"
    Next
    %>

Link:http://output.to/sideway/default.asp?qno=120200021

ClientCertificate

Request Object

Another function of Request object is the retrieving of HTTP client certificate from the client.

Request.ClientCertificate Collection

Request.ClientCertificate Collection retrieves the field values of the client certificate which is sent in the HTTP request.

Syntax:

Request.ClientCertificate( Key[Subfield] )

 Or in an ASP file. Imply

<% Request.ClientCertificate( Key[Subfield] ) %>

Parameters:

Key

The parameter "Key" is the name of the certification field to be retrieved. The data type of "Key" is string and is enclosed by quotation marks (" "). The possible certification field of Key are

Value Description
Certificate A string containing the binary stream of the entire certificate content in ASN.1 format. Useful for discovering the special SubFields are present but are not listed below.
Flags A set of flags providing additional client certificate information. If Flags is set to1, a client certificate is present. If flags is set to 2, the last certificate in this chain is from an unknown issuer.
Issuer A string containing a list of subfield values which containing information about the issuer of the certificate. If this value is specified without a SubField, the ClientCertificate collection returns a comma-separated list of subfields. For example, C=US, O=Versign, and so on.
SerialNumber A string containing the certification serial number as an ASCII representation of hexadecimal bytes separated by hyphens (-). For example, 04-67-F3-02.
Subject A string containing a list of subfield values. The subfield values contain information about the subject of the certificate. If this value is specified without a Subfield, the ClientCertificate collection returns a comma-separated list of subfields. For example, C=US, O=Msft, and so on.
ValidFrom A date specifying when the certificate becomes valid. This date follows VBScript format and varies with international settings. For example, in the United States, 9/22/90 11:59:59 P.M.. The year value is displayed as a four-digit number.
ValidUntil A date specifying when the certificate expires. The year value is displayed as a four-digit number.

SubField

The optional parameter "SubField" is used to retrieve an individual field in either the Subject or Issuer Keys. The parameter "SubField" is added to the Key parameter as a suffix. For example, Issuer) or SubjectCN.. The possible values of some common SubField values are

Variable Name Description
C To specify the name of the country/region of origin.
CN To specify the common name of the user. (This subfield is only used with the Subject key.)
GN To specify a given name
I To specify a set of initials
L To specify a locality
O To specify the company or organization name
OU To specify the name of the organizational unit
S To specify a state or province
T To specify the title of the person or organization

Remarks:

The ClientCertificate collection holds fields of keys and values from a security certificate that the client browser passes to the Web Server. These field are specified in the X.509 version 3 standard for public key certificates. Because X.509 is not an offical stantard, there are differences among certificate obtained from certification authorities.

In order to populate the fields of the ClientCertificate collection, both the Web server and the client browser must support the SSL3.0/PCT1.0 protocol. The Web site must have secure sockets layer (SSL) enabled and request client certificates. After SSL is enabled, the URL of the Web site will start with "https://" instead of "http://". The client browser must be capable of sending a certificate. If no certificate is sent, the ClientCertificate collection returns EMPTY.

The Web server must be configured to request client certificates.

Beginning with IIS 6.0, IIS is built in unicode in order to provide improved support for international applications. This can affect features like Request.ClientCertificate Collection. When porting code from an older version of IIS, use custom COM object to convert the public key to ANSI in a return parameter that ASP can then display. 

Examples:

  • Retrieve the value of Key fields in the ClientCertificate Collection

    ASP script command:

    <%
    Response.Write "Raw Certificate Data: " & _
    Request.ClientCertificate("Certificate") & "<br />"
    %>;;

    ASP script command:

    <%
    Response.Write "Recognization Flag: " & _
    Request.ClientCertificate("Flags") & "<br />"
    %>;;

    ASP script command:

    <%
    Response.Write "Issuer: " & _
    Request.ClientCertificate("Issuer") & "<br />"
    %>;

    ASP script command:

    <%
    Response.Write "Certification Serial Number: " & _
    Request.ClientCertificate("SerialNumber") & "<br />"
    %>;

    ASP script command:

    <%
    Response.Write "Subject: " & _
    Request.ClientCertificate("Subject") & "<br />"
    %>;

    ASP script command:

    <%
    Response.Write "Commence Date: " & _
    Request.ClientCertificate("ValidFrom") & "<br />"
    %>;;

    ASP script command:

    <%
    Response.Write "Expire Date: " & _
    Request.ClientCertificate("ValidUntil") & "<br />"
    %>

  • Retrieve the value of Key with Subfield in the ClientCertificate Collection

    ASP script command:

    <%
    Response.Write "Common Name of Issuer: " & _
    Request.ClientCertificate("IssuerCN") & "<br />"
    %>

  • Loop for all elements in ClientCertificate Collection by elementtt

    ASP script command:

    <%
    For Each element in Request.ClientCertificate
    Response.Write element & ": "& Request.ClientCertificate(element) & "<br />"
    Next
    %>

Previous Month  FEB  2012  Next Month
SMTWTFS
1234
567891011
12131415161718
19202122232425
26272829

Previous Month  JUN  2014  Next Month
SMTWTFS
1234567
891011121314
15161718192021
22232425262728
2930

Sideway BICK Blog

08/02


Copyright © 2000-2020 Sideway . All rights reserved Disclaimerslast modified on 26 January 2013