Platform SDK: IIS SDK |
[IIS 5.0] [IIS 5.1] [IIS 6.0]
The ServerVariables collection retrieves the values of predetermined environment variables and request header information.
It is possible for malicious user to manipulate header values. As a security precaution, always encode request data before using it. A general method of encoding data is to use Server.HTMLEncode. Another method is to write a short function that tests request data for invalid characters. More information can be found by reading chapter 12 of Writing Secure Code, and using Checklist: ASP Security when you create your ASP applications.
Request.ServerVariables ( server environment variable)
Variable | Description |
---|---|
ALL_HTTP | All HTTP headers sent by the client. |
ALL_RAW | Retrieves all headers in raw form. The difference between ALL_RAW and ALL_HTTP is that ALL_HTTP places an HTTP_ prefix before the header name and the header name is always capitalized. In ALL_RAW the header name and values appear as they are sent by the client. |
APPL_MD_PATH | Retrieves the metabase path for the Application for the ISAPI DLL. |
APPL_PHYSICAL_PATH | Retrieves the physical path corresponding to the metabase path. IIS converts the APPL_MD_PATH to the physical (directory) path to return this value. |
AUTH_PASSWORD | The value entered in the client's authentication dialog. This variable is available only if Basic authentication is used. |
AUTH_TYPE | The authentication method that the server uses to validate users when they attempt to access a protected script. |
AUTH_USER | The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. This variable is no different from REMOTE_USER. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name. |
CERT_COOKIE | Unique ID for the client certificate, returned as a string. This can be used as a signature for the whole client certificate. |
CERT_FLAGS | bit0 is set to 1 if the client certificate is present.
bit1 is set to 1 if the certification authority of the client certificate is invalid (that is, it is not in the list of recognized certification authorities on the server). |
CERT_ISSUER | Issuer field of the client certificate (O=MS, OU=IAS, CN=user name, C=USA). |
CERT_KEYSIZE | Number of bits in the Secure Sockets Layer (SSL) connection key size. For example, 128. |
CERT_SECRETKEYSIZE | Number of bits in server certificate private key. For example, 1024. |
CERT_SERIALNUMBER | Serial number field of the client certificate. |
CERT_SERVER_ISSUER | Issuer field of the server certificate. |
CERT_SERVER_SUBJECT | Subject field of the server certificate. |
CERT_SUBJECT | Subject field of the client certificate. |
CONTENT_LENGTH | The length of the content as given by the client. |
CONTENT_TYPE | The data type of the content. Used with queries that have attached information, such as the HTTP queries GET, POST, and PUT. |
GATEWAY_INTERFACE | The revision of the CGI specification used by the server. The format is CGI/revision. |
HEADER_<HeaderName> | The value stored in the header HeaderName. Any header
other than those listed in this table must be preceded by "HEADER_" in order
for the ServerVariables collection to retrieve its value. This is
useful for retrieving custom headers.
Note Unlike HTTP_<HeaderName>, all characters in HEADER_<HeaderName> are interpreted as-is. For example, if you specify HTTP_MY_HEADER, the server searches for a request header named MY_HEADER. |
HTTP_<HeaderName> | The value stored in the header HeaderName. Any header
other than those listed in this table must be preceded by "HTTP_" in order
for the ServerVariables collection to retrieve its value. This is
useful for retrieving custom headers.
Note The server interprets any underscore (_) characters in HeaderName as dashes in the actual header. For example, if you specify HTTP_MY_HEADER, the server searches for a request header named MY-HEADER. |
HTTPS | Returns ON if the request came in through a secure channel (for example, SSL); or it returns OFF, if the request is for an insecure channel. |
HTTPS_KEYSIZE | Number of bits in the SSL connection key size. For example, 128. |
HTTPS_SECRETKEYSIZE | Number of bits in the server certificate private key. For example, 1024. |
HTTPS_SERVER_ISSUER | Issuer field of the server certificate. |
HTTPS_SERVER_SUBJECT | Subject field of the server certificate. |
INSTANCE_ID | The ID for the IIS instance in textual format. If the instance ID is 1, it appears as a string. You can use this variable to retrieve the ID of the Web server instance (in the metabase) to which the request belongs. |
INSTANCE_META_PATH | The metabase path for the instance of IIS that responds to the request. |
LOCAL_ADDR | Returns the server address on which the request came in. This is important on computers where there can be multiple IP addresses bound to the computer, and you want to find out which address the request used. |
LOGON_USER | The Windows account that the user is impersonating while connected to your Web server. Use REMOTE_USER, UNMAPPED_REMOTE_USER, or AUTH_USER to view the raw user name that is contained in the request header. The only time LOGON_USER holds a different value than these other variables is if you have an authentication filter installed. |
PATH_INFO | Extra path information, as given by the client. You can access scripts by using their virtual path and the PATH_INFO server variable. If this information comes from a URL, it is decoded by the server before it is passed to the CGI script. |
PATH_TRANSLATED | A translated version of PATH_INFO that takes the path and performs any necessary virtual-to-physical mapping. |
QUERY_STRING | Query information stored in the string following the question mark (?) in the HTTP request. |
REMOTE_ADDR | The IP address of the remote host that is making the request. |
REMOTE_HOST | The name of the host that is making the request. If the server does not have this information, it will set REMOTE_ADDR and leave this empty. |
REMOTE_PORT | The client port number of the TCP connection. |
REMOTE_USER | The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name. |
REQUEST_METHOD | The method used to make the request. For HTTP, this can be GET, HEAD, POST, and so on. |
SCRIPT_NAME | A virtual path to the script being executed. This is used for self-referencing URLs. |
SERVER_NAME | The server's host name, DNS alias, or IP address as it would appear in self-referencing URLs. |
SERVER_PORT | The server port number to which the request was sent. |
SERVER_PORT_SECURE | A string that contains either 0 or 1. If the request is being handled on the secure port, then this is 1. Otherwise, it is 0. |
SERVER_PROTOCOL | The name and revision of the request information protocol. The format is protocol/revision. |
SERVER_SOFTWARE | The name and version of the server software that answers the request and runs the gateway. The format is name/version. |
URL | Gives the base portion of the URL. |
If a client sends a header other than those specified in the preceding table, you can retrieve the value of that header by preceding the header name with "HTTP_" in the call to Request.ServerVariables. For example, if the client sends the following header:
SomeNewHeader:SomeNewValue
You can retrieve SomeNewValue
by using the following syntax:
<% Request.ServerVariables("HTTP_SomeNewHeader") %>
The following example displays several server variables by name:
<HTML>
<!-- This example displays the content of several ServerVariables. -->
ALL_HTTP server variable =
<%= Request.ServerVariables("ALL_HTTP") %> <BR>
CONTENT_LENGTH server variable =
<%= Request.ServerVariables("CONTENT_LENGTH") %> <BR>
CONTENT_TYPE server variable =
<%= Request.ServerVariables("CONTENT_TYPE") %> <BR>
QUERY_STRING server variable =
<%= Request.ServerVariables("QUERY_STRING") %> <BR>
SERVER_SOFTWARE server variable =
<%= Request.ServerVariables("SERVER_SOFTWARE") %> <BR>
</HTML>
The following example uses the VBScript For Each loop to iterate through each existing server variable name. Some will be empty if you have Anonymous Access enabled. The following script lists all of the server variables in a table:
<TABLE BORDER="1">
<TR><TD><B>Server Variable</B></TD><TD><B>Value</B></TD></TR>
<% For Each strKey In Request.ServerVariables %>
<TR>
<TD><%=index.html strKey %></TD>
<TD><%= Request.ServerVariables(strKey) %></TD>
</TR>
<% Next %>
</TABLE>
The following example inserts the name of the server to a hyperlink.
<A HREF=index.html "http://<%=Request.ServerVariables("SERVER_NAME")%>/scripts/MyPage.asp">
Link to MyPage.asp
</A>
Caution It is wise to not trust information in headers when security decisions must be made, as this information may be falsified. For more detailed information, see MS Press - Writing Secure Code
Platforms: Windows 2000 with IIS 5.0 installed, Windows XP
with IIS 5.1 installed, Windows Server 2003 family with IIS 6.0
installed
What
did you think of this topic? |
Order a Platform SDK CD |