Question : Why does InternetConnect function need a password and a login ?

Hi there,

I've been told an https request could only be used for crypting data transmitted, not for authentification.
In this cas, why does InternetConnect function need a login and a password ?

Please have a look at my code snippet and also at question
http://www.experts-exchange.com/Microsoft/Development/.NET/Visual_Studio_.NET_2005/Q_23122733.html

Thanks in advance

Code Snippet:

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:



#define DIRECTORY_AND_SYNC_SCRIPT_NAME L"MyDir/MyScript.cgi"
 
int MakePostHttpsRequest(LPWSTR wLogin, LPWSTR wPassword, LPWSTR wBoxIP, int iPort, char * sInput)
{
	HINTERNET hOpen, hConnect, hReq;
 
	hOpen = InternetOpen(L"anonymous", INTERNET_OPEN_TYPE_PRECONFIG, NULL, L"", 0);
	if(!hOpen)
// Doesn't reach this line
		return 1;
 
	hConnect = InternetConnect(hOpen, wBoxIP, iPort, wLogin, wPassword, INTERNET_SERVICE_HTTP, 0, 0);
	if(!hConnect)
	{
// Doesn't reach this line
		InternetCloseHandle(hOpen);
		return 1;
	}
 
	hReq = HttpOpenRequest(hConnect, L"POST", DIRECTORY_AND_SYNC_SCRIPT_NAME, L"HTTP/1.0", NULL, NULL, INTERNET_FLAG_RELOAD
																			| INTERNET_FLAG_KEEP_CONNECTION
																			| INTERNET_FLAG_SECURE
																			| INTERNET_FLAG_IGNORE_CERT_CN_INVALID
																			| INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, 0);
	if(!hReq)
	{
// Doesn't reach this line
		InternetCloseHandle(hOpen);
		InternetCloseHandle(hConnect);
		return 1;
	}
 
	LPCWSTR wHeader = L"Content-Type: application/x-www-form-urlencoded";
 
	char * sInputEncoded = MyString::Encode(sInput);
 
	int iRetVal;
	iRetVal = HttpSendRequest(hReq, wHeader, (DWORD) _tcslen(wHeader), sInputEncoded, (DWORD) strlen(sInputEncoded));
	DWORD uErrorCode = GetLastError();
	if(iRetVal != 1)
	{
		// there has been a problem
		if(uErrorCode == ERROR_INTERNET_INVALID_CA)
		{
// Reach this line
 
			// Pb of rights
			iRetVal = InternetErrorDlg(GetDesktopWindow(),
										hReq,
										ERROR_INTERNET_INVALID_CA,
										FLAGS_ERROR_UI_FILTER_FOR_ERRORS
										| FLAGS_ERROR_UI_FLAGS_GENERATE_DATA
										| FLAGS_ERROR_UI_FLAGS_CHANGE_OPTIONS,
										0);
// I click "Yes" when asked to accept the certificate
 
			if(iRetVal == ERROR_SUCCESS)
			{
// Reach this line
				// The certificate is accepted
				HttpSendRequest(hReq, wHeader, (DWORD) _tcslen(wHeader), sInputEncoded, (DWORD) strlen(sInputEncoded));
				free(sInputEncoded);
			}
			else
			{
				// The certificate is refused : Leave !
				InternetCloseHandle(hReq);
				InternetCloseHandle(hOpen);
				InternetCloseHandle(hConnect);
 
				free(sInputEncoded);
				
				return 1;
			}
		}
		else // Another problem : Leave !
		{
			InternetCloseHandle(hReq);
			InternetCloseHandle(hOpen);
			InternetCloseHandle(hConnect);
 
			free(sInputEncoded);
 
			return 1;
		}
	}
 
// I can see the script has been executed on the server with the data transmitted
 
	InternetCloseHandle(hReq);
	InternetCloseHandle(hOpen);
	InternetCloseHandle(hConnect);
 
	free(sInputEncoded);
 
	return 0;
}

Open in New Window

Select All

Answer : Why does InternetConnect function need a password and a login ?

https protects against 'man in the middle' attacks. If anyone is tapping the line somewhere between your web site and the end user all they'll see is encrypted data. Other than that it's supposed to work like normal http, and the connection is setup automatically.

Now for the authentication tokens used with InternetConnect(). It might be possible to use them like you want, but there are some things you'll want to consider first. One is that there's nothing special about https in this regard. The tokens are available for http too. The other is that authentication happens at the web server level before requests are approved. This has several drawbacks:
1) You can't include the login in the web page since users must authenticate before any page is sent to the browser.
2) tokens are often stored in plain text config files.
3) It only supports authentication. There's no built-in mechanism to do anything beyond that, like use the user name as a key into a database that knows things like your name, e-mail address, site preferences, shipping details, saved shopping carts, or anything else.