tags:

views:

1060

answers:

5
Q: 

AUTH_USER and REMOTE_USER cgi variables

The docs aren't entirely clear on this - is there a difference between these variables? On IIS at least they appear to be identical, but I don't want to rely on that if it might be different under other servers.

+2  A: 

I'm fairly sure REMOTE_USER is the standard CGI variable.

According to this page, they are the same: http://livedocs.adobe.com/coldfusion/6/CFML_Reference/Expressions5.htm

Peter Boughton  2009-05-12 14:24:51
+6  A: 

According to the Adobe ColdFusion documentation they are the same.

http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Expressions_8.html

Looking at the openbd source code, the remote_user and the auth_user are mapped to the same key, so it returns the same value.

Looking at the railo source code, I'm not quite understanding what is going on, but it appears to be setting remote_user, and I'm not sure if auth_user is being set anywhere.

If you are designing an app that is compatible with coldfusion, railo, and openbd, it appears safer to use remote_user. Maybe someone else can comment because I don't fully understand the code without taking the time to investigate deeply.

Jayson  2009-05-12 14:58:43
Adobe's docs seem to suggest remote_user is the preferred choice.
Jayson  2009-05-12 15:00:02
+1  A: 

In my experience, CGI variables tend to differ between Web Servers (Apache, IIS, JRun, etc), and even between their versions. The only safe bet, when basing something on a CGI variable, is to check what values show up on your dev, stage, production (etc) servers.

Adam Tuttle  2009-05-12 17:12:34
+1  A: 

to be on the safe side stick to REMOTE_USER as it is the one defined in the CGI/1.0 spec (Found here http://www.ietf.org/rfc/rfc3875)

AUTH_USER seems to have snuck in over time

LucasS  2009-05-15 23:09:05
+2  A: 

REMOTE_USER and AUTH_USER will be the same in AdobeCF/IIS, but not on AdobeCF/Apache. AUTH_USER will be blank when using AdobeCF/Apache.

So it is best to code using the REMOTE_USER variable. If you find yourself working on code that references AUTH_USER in Apache, there is a way to make Apache populate that variable using mod_rewrite. This will cause Apache to copy REMOTE_USER into AUTH_USER:

RewriteEngine on RewriteCond %{REMOTE_USER} (.) RewriteRule . - [E=AUTH_USER:%1]

There is more info here: http://www.stillnetstudios.com/copying-env-variables-in-apache/

 2010-01-09 22:03:41

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?