WebSite Professional

WebSite Professional 2.4
Release Notes

Server Build 2.4.9
Property Sheet Build 2.4.9


This is WebSite Professional 2.4. This point release contains a major upgrade to the cryptographic engine in WebSite. With this upgrade, WebSite now supports the new Transport Layer Security (TLS) 1.0 protocol, the successor to SSL 3.0. In addition, this is the first release of WebSite Pro that supports the use of client certificates for authentication. This release also includes all fixes to version 2.0, through 2.3.18.

These release notes are cumulative, documenting all changes made to WebSite Pro 2.0 since its release in September 1997. The extensive new features introduced in WebSite Pro 2.1 are fully described in the PDF document, "WebSite Professional 2.1 Supplement," which is available at The UpLink publishing utility is documented in its online help. UpLink is included in the WebSite Pro 2.4 zip file as uplink_setup.exe. UpLink is provided as freeware to the Internet community. You may freely copy and redistribute it.


O'Reilly & Associates provides installation support online at in the Installation Support conference.

O'Reilly accepts no responsibility for UpLink or its use. Beyond the FAQ at O'Reilly & Associates provides no technical support for UpLink.

Changes in Point Release 2.4 (15-Dec-1999)

  1. Major upgrade to cryptographic engine, certificate handling, and SSL 2.0 and 3.0 protocols, as well as additional ciphers and hash functions.
  2. New support for Transport Layer Security (TLS) 1.0 security protocol.
  3. New support for client certificate authentication. See the lists (below) of new server and CGI variables resulting from this addition. Note that the server does not make access control decisions based on supplied certificates. This must be done within a CGI/WSAPI/ISAPI application or using a WSAPI authentication DLL.
  4. New support for exporting public and private key pairs and trusted roots. This support is available from the Key Ring tab in Server Properties.
  5. A folder of trusted roots has been placed in the WebSite\Admin folder for convenience in updating trusted roots.
  6. The property sheet now allows for creation/deletion and certification of key pairs over and over without requiring that you close and reopen the property sheet.
  7. WSAPI is now at version 1.3, reflecting the addition of cert items to the TCTX. Older extensions will work with this new version if they version-bind leniently. See the list below.
  8. Windows CGI is now at version 1.4, reflecting the addition of cert items in a new [crypto] section. Older Windows CGI programs will work with this new version. See the list below.
  9. Standard CGI is now at 1.4 reflecting the addition of cert items in the environment variables. See the list below.
  10. The server has two new server-side content types for handling non-existent files: wwwserver/isapi-x and wwwserver/wsapi-x. These new content types pass through non-existent files, providing functionality for advanced features for files of these types without disrupting current support for other files that require checking. The wwwserver/?sapi content types generate 404 messages as in earlier versions of WebSite.
  11. ISAPI ISA extension handshakinng is now lenient. It will allow an ISA with any version to bind to WebSite Pro. If the ISA uses advanced ISAPI features not supported by WebSite, an error will be logged.
  12. iHTML is updated to 2.18; see for the latest version of iHTML and iHTML Merchant.

New TCTX items for WSAPI 1.3 in WebSite 2.4

// Additional remote (client) identity
BOOL bClientAuth;		// TRUE if client suth succeeded
BOOL bTrustInvalid;		// TRUE if no trusted root for the cert
char *remote_cert_subject;	// Subject DN (RFC1485, alloc)
char *remote_cert_issuer;	// Issuer DN (RFC1485, alloc)
int remote_cert_keysize;	// Public key size, bits (e.g., 512, 1024)
char *remote_cert_serial;	// Serial number, hex (alloc)
time_t remote_cert_begin;	// Cert validity begin (CRT time)
time_t remote_cert_end;		// Cert expiration (CRT time)
char *remote_cert_status;	// Status (e.g., "REVOKED", alloc)
BYTE *remote_cert;		// Raw cert BER
DWORD remote_cert_len;		// Length of cert BER
// Server Cert info
char *local_cert_subject;	// Subject DN (RFC1485, alloc)
char *local_cert_issuer;	// Issuer DN (RFC1485, alloc)
int local_cert_keysize;		// Public key size, bits (e.g., 512, 1024)
// SSL/TLS connection
int data_keysize;		// Data cipher key size, bits (e.g., 40, 128)

New WSAPI/ISAPI server variables for WebSite Pro 2.4

The following new server variables are described in the IIS/ISAPI documentation. We tried to follow this as closely as possible, but there may be minor differences in formatting. Some items may be empty; for example, if there was no client (cert) auth, then the client cert items will be empty. The CERT_FLAGS item tells whether the client cert was used, and if it was validated against one of WebSite's trusted roots. These variables are available by name to WSAPI and ISAPI extensions via GetServerVariable().




New Windows CGI variables for WebSite Pro 2.4

These are put into a new [crypto] section of the INI file:
SecureConnection            ("Yes" or "No")
ServerCertSubject           RFC1485 format
ServerCertIssuer            RFC1485 format
ServerCertKeysize           (string, e.g., "512", "1024")
DataKeysize                 (string, e.g., "128", "40")
ClientCertSubject           RFC1485 format
ClientCertIssuer            RFC1485 format
ClientCertKeysize           (string, e.g., "512", "1024")
ClientCertSerial            (hex string)
ClientCertStatus            (string, e.g., "EXPIRED")
ClientCertTrusted           ("Yes" - "No", if trusted root present)
ClientCertValid             (HTTP-standard date-time, cert valid time)
ClientCertExpires           (HTTP-standard date-time, cert exp time)

New Standard CGI variables (no new DOS CGI vars!!)

HTTPS                       ("ON" or "OFF")
HTTPS_SERVER_SUBJECT        RFC1485 format
HTTPS_SERVER_ISSUER         RFC1485 format
HTTPS_SECRETKEYSIZE         (string, e.g., "512", "1024")
HTTPS_KEYSIZE               (string, e.g., "128", "40")
HTTPS_CLIENT_SUBJECT        RFC1485 format
HTTPS_CLIENT_ISSUER         RFC1485 format
HTTPS_CLIENT_SECRETKEYSIZE  (string, e.g., "512", "1024")
HTTPS_CLIENT_STATUS         (string, e.g., "EXPIRED")
HTTPS_CLIENT_TRUSTED        ("YES" - "NO", if trusted root is present)
HTTPS_CLIENT_VALID          (HTTP-standard date-time, cert valid time)
HTTPS_CLIENT_EXPIRES        (HTTP-standard date-time, cert exp time)

Changes in Hot Fix 2.3.18 (9-Sep-99)

  1. Large HTTP methods will now cause a 500 server error (buffer too small in getword()) and the server will continue to operate.
  2. All control characters are now removed from the URL and Referer fields prior to logging. Spaces are retained.
  3. HTTP/0.9 requests are now logged.
  4. IP-based virtual server support now works for HTTP/0.9. Note that IP-less virtual servers cannot be supported as HTTP/0.9 does not provide headers and the Host: header is required for IP-less virtual server support.
  5. Fixed file descriptions from HTML in directory listings. The HTML title will be used if the ... tags fall within the first 1023 characters, regardless of line breaks.
  6. Increased the number of hostnames WebSite Pro can support to 100,000.
  7. Fixed SSI.DLL so it will not cause an access violation on a query string with a name and no value.
  8. Removed the dependencies for the Registry key LogKeepCycles. Since release 2.2 this value has not been used and the dependencies were unnecessary. See the release notes for Release 2.2 (items #2-3) for an explanation of the log cycling changes.
  9. QuickStats is now Y2K compliant.

Changes in Hot Fix Release 2.3.15 (25-Nov-98)

  1. Fixed an authentication problem with release 2.3.14.

Changes in Point Release 2.3.14 (20-Nov-98)

  1. Fixed a small memory leak that occurred with ISAPI requests.
  2. The working thread "limit" has been increased to 20,480.

Changes in Point Release 2.3.10 (22-Oct-98)

  1. This version now supports multiple certificates on one web server that were created with different key strengths.

Changes in Point Release 2.3.9 (08-Oct-98)

  1. Remove any newlines in Referer:, User-Agent:, etc. prior to logging. (see #23 in 2.2 release notes, this item was not fully implemented in 2.2, fixed in release 2.3.8)
  2. Domestic server only. Changed the SSL library functions such that an export browser can succesfully negotiate a step-down when establishing an SSL connection with a full strength server.

Changes in Point Release 2.3.7 (14-Jul-98)

  1. Reversed a change to the logging logic and Windows Log Format such that the local host name is logged, rather than the Host: header sent by the browser.
  2. Fixed a bug in ssi.dll where query strings in exec'd cgi applications were not being cleared out.
  3. Increased the stack allocation in WebFind to handle extremely large results.
  4. Replaced an incorrectly shipped (in 2.3) debug build of index.exe with the correct build.
  5. Added online help for Server Properties.

Changes in Point Release 2.3 (01-Jul-98)

  1. Changed handling of HTTP requests with a Host: header field. If an HTTP request contains a Host: header field, the hostname value is now always used for URL fix-up, as the SERVER_NAME CGI variable, in the various Java classes that encapsulate the current request's hostname, and as the value of other variables that store the hostname of a request.
  2. Changed the form of HTTP-compliant date/time strings generated by the server. Such places as the Date: header field and common/combined log entries now always contain the English form of the abbreviated month and day-of-week names. This is required by HTTP/1.0 and HTTP/1.1.
  3. Changed how the server handles requests containing extra header fields with no value strings. The server no longer traps on such requests. The server is still strict in its testing of standard header fields.
  4. Revised the Windows Log Format. The new version is 1.1. The only change is to the date/time field. In the past, this field was allowed to vary with Regional Settings and operating system language/locale characteristics. Beginning with this version, the date and time fields in the Windows Log Format are fixed. The format is:
    If you are using the Windows Log Format, you should cycle your log files before installing WebSite Pro version 2.3. You may also need to make changes in your log analyzing program settings.
  5. Modified QStats to read the Windows Log Format version 1.1.
  6. Fixed a sporadic bug in swish.dll (affecting WebFind) that would cause a search in document titles only to return incorrect results.
  7. Enhanced WebFind. It now displays the number of matching documents found and more descriptive error messages when a keyword is too common or not found.
  8. Included a new tool, WSVersion, to assist users and tech support with tracking the versions of installed components.
  9. Added a new setting for people who are using an ASP document as their default (index) document and experience problems with ASP during server cold-startup. You can now instruct the server to wait for a specified time before accepting connections. This is a workaround for the ASP bug where asp.dll says it's ready for action before it really is. The startup delay value is stored in the Registry:
                 CurrentVersion     StartupDelay:REG_BINARY:00 00 00 00
    The default is no delay at cold startup. To specify a delay setting for the StartDelay value, enter a delay time in milliseconds. Note that this value obeys the usual binary conventions for REG_BINARY values. For example, 30 sec. is 30000 milliseconds, or 7530 hex, so the setting in the Registry should be 30 75 00 00. If you don't know what setting to use (and don't mind a 30 second delay on cold start), just use the above value for 30 seconds.
  10. Fixed a security hole caused by Windows that would allow a file to be opened and served improperly, exposing the source of in-line executable documents.

iHTML Changes in Point Release 2.3; iHTML version 2.15; Merchant 1.04

Please refer to the documenatation installed in /~wsdocs/ihtmlpro/docs/

Changes in HotFix 2.2a (11-Apr-98)

This hot-fix addresses three problems that came to our attention shortly after the release of version 2.2. No new features have been added. The problems fixed in this release are:
  1. The server stops without logging any problems when the Referer: header field exceeds "a few hundred bytes" and the target URL is not found (404) or forbidden for access (403).
  2. The server stops without logging any problems when an ISMAP imagemap request is received, the click is outside any of the defined hot-spot regions, and there is no Default entry in the imagemap (.map) file.
  3. On Windows NT, the total size of the shell environment block was too small to execute a standard CGI program. This would occur, for example, when the Referer: header field is "large". The environment size limit has been increased to 64K bytes.
  4. This release also adds a new content type mapping for Adobe Form Definition Files: application/vnd.fdf

Changes in Point Release 2.2 (10-Feb-98)

  1. Changed handling of requests containing a Host: header field with a hostname that is not configured as an identity. Such requests are now routed to the identity that is bound to the IP address on which the request was received. This makes it possible to use CNAME DNS records in the same way they were used before introduction of IP-less multi-homing. If there are no identities bound to the IP address on which the request was received, the server returns an error.
  2. Added support for automatic log file cycling. See the Logging tab of Server Properties for changes. Cycling can take place daily at any hour, weekly, or monthly. In addition, cycling can take place when a log file reaches a configured size.
  3. Changed naming of cycled-out log files. They are now named using the date (in local time) at which the file was cycled. The format is:


    where YYYY is the 4 digit year, MM is the 2 digit month, DD is the 2 digit day, and N is a sequence number, which gets bumped for each cycle within a day. This naming scheme works with the WebTrends macro language, which has substitution tokens for numeric parts of a date in a filename.

  4. Added the ability to disable access logging completely by erasing the access log pathname on the Logging tab of Server Properties. You no longer need to (nor should you) use NUL:. Erasing the path name causes the server to completely skip its internal logging logic.
  5. Improved WebView. You can now create new identities from the left tree. Startup time on a server with many virtual servers is reduced dramatically. Memory consumption is reduced. Search speed is increased, and there are many other small improvements.
  6. Added a way to create access control points from WebView. At the mapping level and below, Access Control and Publish Control replace "properties." Selecting these opens Server Properties to the appropriate tab, with the *nearest applicable* access control point selected. If there is no access control point for the exact path, you can add one by clicking New, and the New Protected Path dialog appears with the exact path in the URL Path text box.
  7. Added a Registry entry for the text of the 503 Too Busy response, which you can now configure by editing the Registry at:

         TooBusyMsg:REG_SZ (string)
  8. Added the ability to disable exact date/time matching for the "If-Modified-Since:" feature of HTTP and replace it with the inexact algorithm specified in the HTTP specification. To disable exact matching, edit the Registry as follows:

         Exact IfModSince:REG_BINARY:00 00 00 00

    The following value enables it:

    Exact IfModSince:REG_BINARY:01 00 00 00
  9. Added a GUI for adjusting the heap and stack limits on WebSite Pro's embedded Java virtual machine. The new Advanced button on the Java tab of Server Properties opens the JRun advanced settings sheet.
  10. The server now rejects any HTTP request that contains a URL path without a leading '/index.html'.
  11. Changed the 204 response, which now has no content. This conforms to the HTTP/1.1 specifications.
  12. Changed server-generated directory listings so that the table/plain mode is preserved when moving up and down between directories in a directory tree.
  13. Changed password requirements for a newly created key ring. You are now required to enter a password. The Cancel button is dimmmed in this case.
  14. Changed the response to a request for a non-existent object in an access controlled path to return "access denied" instead of "not found."
  15. Changed the Windows Log Format so it generates date/time strings that follow the settings in the Regional Settings control panel (see also item 39 below).
  16. Added the logging of 404 Not Found errors to error.log under all conditions.
  17. Added the logging of 503 Too Busy errors to error.log.
  18. Added the logging of 400 Bad Request errors resulting from connecting to an unknown identity to access.log and error.log.
  19. Deleted the "trans proc" counter. It was too difficult to make this one hundred percent accurate.
  20. Disabled "Implicit matching" in IP filtering. You are now required to use '*' and '?' for pattern matching.
  21. Added to the HTTP header parsing engine the ability to catch really corrupt requests, and return a 400 Bad Request, along with some hint of the illegal junk in the header. This was added to handle garbage Cookie: header fields being sent by some old browsers.
  22. Fixed a fencepost error in redirection mapping introduced in 2.1.
  23. Now remove any newlines in Referer:, User-Agent:, etc. prior to logging.
  24. Fixed the return from PUT to an existing file to return 200 OK instead of 201 Created.
  25. Fixed the long-standing "odd" behavior of the task tray menu.
  26. Corrected the Perl and Python language names on the ASP tab of Server Properties.
  27. Fixed the Mapping tab so that the alert "You have unsaved changes..." no longer appears at strange times.
  28. Improved the ASP tab in Server Properties. In checking for the presence of ASP 1.0, if ASP 2.0 (unsupported) is installed, the ASP tab no longer reports a strange Registry error.
  29. Fixed the Java tab on Server Properties. All controls are disabled unless the WebSite Java Servlet SDK is installed.
  30. Added support for either ';' or ',' to separate default document match patterns (e.g., "index.*,default.*" is legal now).
  31. Added Association and Content-type mappings for .stag files used by the <servlet> tag.
  32. Removed a limit on the number of virtual servers that could be handled by WebView, WebIndex and QuickStats.
  33. Changed WebIndex so it indexes the Title (not just the filename) of .cfm, .dbm, .dbml, .htm, .html, .html-ssi, .ihtml, .shtml, and .ssi files.
  34. Fixed the WebSite Java Servlet SDK WebSite.Cookie class so that the maxAge property is in seconds (as opposed to milliseconds). The WebSite.Servlet API is now at version 1.2.
  35. Uncaught exceptions in WebSite type servlets now log the exception information (including the stack traceback) into the WSJava.log file.
  36. Added the "Allow creation of directories" security option to the Publish Control. Unless this is turned on, the server will prohibit creation of directories as part of PUT operations to affected URL paths.
  37. Changed the limit on the maximum number of worker threads to 1024. Previously, it was incorrectly set to 256.
  38. Fixed the WebSite.Servlet API to handle HTTP requests that have no Accept: header, or an empty one.
  39. Added the option for WinLogFormat to use either the default Local System date format or to use the user date format settings in Control Panel. Note that when using the Control Panel setting, if no user is logged in, the server reverts to using Local System Default. This means if WebSite is running as a service, and users log on and off, the date format in the log may change.
         WinLogSystemDate:REG_BINARY:01 00 00 00 (use local system default)
         WinLogSystemDate:REG_BINARY:00 00 00 00 (use Control Panel settings)
  40. The JRun Java Servlet kit has been updated:
    • Adds support for JDK 1.2 version of the Servlet API 1.1
    • Adds persistent session tracking capability
    • Adds support for Servlet pooling (SingleThreadModel interface)
    • JFC 1.1 based administration application/applet for remote admin capabilities of servlets

New Registry Data in Version 2.2

     TooBusyMsg:REG_SZ (string)
     Exact IfModSince:REG_BINARY: (4 bytes)
     WinLogSystemDate:REG_BINARY: (4 bytes)

HKEY_LOCAL_MACHINE\Software\Denny\WebServer\CurrentVersion\Logs\ CycleInterval:REG_BINARY: (4 bytes) CycleSize:REG_BINARY: (4 bytes)

HKEY_LOCAL_MACHINE\Software\Denny\WebServer\CurrentVersion\Java\ MaxNativeStack:REG_BINARY: (4 bytes) MaxJavaStack:REG_BINARY: (4 bytes) MaxJavaHeap:REG_BINARY: (4 bytes)

iHTML Changes in Point Release 2.2; iHTML version 2.12

  1. Improved speed in various areas and improved stability on Windows 95.
  2. Added the <iMULTIPART> tag to handle multiple part form uploads.
  3. Added the ability to upload forms and files on a single page.
  4. Changed <iHTTP> so it now sends Host: header fields.
  5. Added a new environment variable :i_currentpage to report the name of the file in which the variable resides. (Missed previous release.)
  6. Added a feature to allow you to disable tags (see "New Registry Settings" below).
  7. Integrated GENSCK32.DLL with the main DLL to get rid of the message window and more tightly integrate the code.
  8. Changed handling of GET methods on iHTML pages. These are now converted to POST methods automatically. A Registry setting allows you to turn off this feature if necessary (see LEAVEGET in "New Registry Settings" below).
  9. Added == as a new method to evaluate tags within tags. This can be used like the EVAL=TRUE directive on <iEQ> to evaluate tags within tags such as on the OUTPUT directive of <iHTML>.
  10. Improved error handling as follows:
    - Improved handling of FATAL exceptions to prevent server crash.
    - Enhanced the ihtml.log file with more diagnostic information. Forward any ihtml.log files with an exception to with the page that caused the error for analysis and resolution.
    - Added a new, more comprehensive log file to allow more detailed tracking of errors occurring on the server. See ERRORLOGPATH in "New Registry Settings" below).
    - Fixed error reporting for tag set (tags that have ending pieces, for example, </iMAIL>, </iIF>, </iWHILE>, </iLOOP>).
    - Added error code 760 for colon variables in incorrect places.
  11. <iISDATE> now returns the correct result.
  12. Fixed <iCONTENT>, which was not keyed and wouldn't work.
  13. <iRANDOM> now works on the default connection.
  14. <iDATEEXT> now reports DAYOFYEAR and DAYSINYEAR correctly for 12/31/96 and calculates leap years.
  15. <iGETMIMEFILE> and <iGETMIMENAME> now work for file uploads.
  16. <iERROR> block no longer gets chopped off, causes errors, gets double results, or outputs garbage text in certain situations.
  17. <iCOUNTER> works as it did in the shipping 2.1.
  18. <iLINK src=""> now works as expected.
  19. <iPING> no longer gives an exception if used on a non-existant server.
  20. <i_pop_cc> returns the entire string of email addresses for all clients.
  21. <iMAIL> works correctly with all sets of DLLs.
  22. K and L now work properly in <iIF> with the EXPR directive.
  23. <iPOPFETCH> now works correctly with LOAD=FALSE.
  24. Date functions now accept dates after 2035.
  25. Fixed <iSQL> timeout errors.
  26. SCHEDULE.MDB file imcrements the Next field correctly.
  27. <iEVAL> now works with a negative number.
  28. Added more error checking to <iMAIL>.
  29. <iSTRSPAN> no longer cuts off the last character.
  30. <iISDEF> no longer reports TRUE if the variable is defined as itself.
  31. <iPOPHEADERS> no longer cleans out previous message headers before getting next message data.
  32. <iEVAL> reports error 500 if a divide by zero occurs.
  33. <iCGI> now reports error codes properly.
  34. <iDATEDIFF> no longer returns odd numbers.
  35. <iSTOP> now stops in all cases.
  36. Fixed <iEVAL>, which was causing problems with expressions like 25 - -25.
  37. Fixed <iBPPE> problem that caused it to seem not to start running.
  38. The <iHTML> BREAKONOUTPUT directive now breaks even if it is in an <iINCLUDE> block.
  39. Fixed <iPOPFETCH> so it no longer crashes the server when deleting a large email.
  40. Fixed <iDIR>, which was causing an exception.
  41. Fixed problem with uploading GIF files.
  42. <iPING> now returns -1 if a domain is not found instead of 20, as previously.

New iHTML version 2.12 Registry Settings

Added the following new string value Registry settings to the key

  1. COLNUMBERS - Determines whether to generate result columns as numbers in the database related tags. The Registry setting is used as the default for the NUMBERS= setting of those tags. Default is TRUE.
  2. TAGPEEK - Specifies how many tags the parser should look at when looking for the tag. The default is 150. It may be set as low as 8 and still react to <!ihtml> at the start of the file. If set to 0, iHTML doesn't bother looking for a <!ihtml> tag, and parses the file anyway.
  3. SINGLET - Sets single thread operation. Default is FALSE. If set to TRUE, the server may deadlock if a single iHTML page uses 2 iHTTP tags to talk to the same server.
  4. FLUSHSTMT - Allows SYBASE users to flush the result set when encountering </iSQL>. FALSE is the default. Change to TRUE for Sybase.
  5. LEAVEGET - Disables conversion of GET method to POST method on <FORM> tags. The default is TRUE.
  6. ERRORLOG - Turns error logging on and off. Set to TRUE or FALSE.
  7. ERRORLOGPATH - Sets the path and filename for the file in which to store all tag ERROR conditions with diagnostic information.
  8. COOKIECASE - Used to enable case sensitivity on cookie names generated and read by iHTML. The default is FALSE.
  9. Added the subkey /ERRORS with the string value setting E760. Turns off 760 error checking when set to false.
  10. Added the subkey /DISABLETAGS - You can add any of the following as settings under this key:icgi,icopyfile, iconfig, idownload, ifile, ifileinfo, ifiletransfer,iftp, igetmimefile, igetmimename, iregkey, iregval, isvc, itelnet. Each setting corresponds to the tag of the same name. Set the string value to true to disable the tag.

Changes in Point Release 2.1 (15-Dec-97)

  1. For a complete description of the new features affecting the administration, security, and development environments of WebSite Pro, see the accompanying PDF documentation, "WebSite Professional 2.1 Supplement."
  2. Fixed a bug that caused wildcard redirects on URL paths to work incorrectly. A wildcard functioned correctly when it was preceded by a path branch (for example, /a/b/*) but failed when it was used in the middle of a string (for example, /a/b/ab*). This bug was introduced prior to WebSite Pro 2.0's release. Previously, wildcard redirects had worked properly.
  3. Fixed byte-range support for Adobe Acrobat 3.01. This new version of Acrobat generates very large byte-range specifications.
  4. Fixed Publishing control authentication under Windows 95.
  5. Allowed PUT for imagemap files (for wwwserver/imagemap files). These files are no longer considered executable.

iHTML Changes in Hot Fix 2.0c (1-Dec-97)

  1. Fixed iIMAGE tags that were improperly defaulting to GIF. They now default to JPEG.
  2. Fixed the iDIR tag to work properly on the last item in a directory.
  3. Fixed iPOP and iEVAL to prevent crashing if a required directive is missing. Some other tags had this same problem and have been fixed.
  4. Turned off logging to prevent the creation of large GHOOK.LOG files by graphics filters. Logging will be an option in future releases.
  5. Fixed iDATE and all other date/time related tags that were reporting incorrect results on dates including 08.
  6. Added error checking so that dates with invalid entries, such as 32 days in a month or pre-1970, generate error conditions.
  7. Fixed iPOP to not generate an exception when a bad username and password is encountered.
  8. Fixed iEVAL to calculate properly when there are redundant brackets.
  9. Fixed iSTRJUST to work with strings longer than the LEN directive.
  10. Fixed iERROR to allow it to be used for errors in nested loops or include files.
  11. Fixed iMAIL to work if directives other than ADDRESS are first.
  12. Fixed a problem with variables ending in a - or _ not being properly resolved.
  13. Changed iHTML cookies to be case insensitive. This change corrects a problem encountered when cookies were set as uppercase and read as lowercase, which prevented updating of cookie information.
  14. Fixed the iFILE tag START directive to use the specified value. Previously, this directive would always use 0.
  15. Fixed iCGI tag for Windows NT. Note that the Windows 95 architecture will not support this tag.
  16. Added new directives KILL and TIMEOUT to the iCGI tag.
  17. Added a workaround for a Microsoft ODBC/OLE bug that caused 998 (OleMainThreadWndName) Error and other OLE/ODBC errors that locked up any program using DDE/OLE for communications (such as Eudora and Photoshop). Note that this workaround slows down iHTML slightly.
  18. Enabled <#ihtml> to be used in place of <!ihtml>. This change allows FrontPage to work with the normal special <!ihtml> tag. Note that the <!ihtml> or <#ihtml> MUST be in the first 100 bytes of the file to be recognized. This change improves the speed of iHTML.
  19. Fixed a problem with displaying a date or using the iTIME tag within an iSQL tag structure. Previously, this usage would give unpredictable results when the times had numbers in the low teens and the database result table had at least 10 result columns. For example, 11:12:13 would resolve to :12 and :13 as the result columns. To get around this potential problem, use an ALIAS in the iSQL tag. In addition, you can use the new NUMBERS directive, which defaults to TRUE. Setting NUMBERS to FALSE causes :# variables not to be created for the result set.
  20. Fixed conditions that caused Document Contains No Data errors under certain circumstances.
  21. Fixed iRANDOM and iTIMESLOT tags to return a blank string rather than generate an error if the tables they referenced were empty. This was a problem with Merchant if all the advertisements are deleted.
  22. Fixed iISDIGIT and iISALPHA to return FALSE if the SRC="" . Previously, this condition returned TRUE.
  23. Fixed date functions to return dates based on a one-based year. Previously, these used a zero-based year (for example, Jan 1st is day 0).
  24. Fixed ENTMAN.EXE and iBPPE.EXE to recognize the time ranges for the back page processor. Previously these ranges were ignored. In addition, you can modify the SCHEDULE.MDB file so the interval is a LONG instead of an INT so larger intervals are possible.
  25. Error messages from iHTML are now entered into WebSite Pro 2.0's server log (WebSite\Logs\server.log).
  26. Fixed a problem with i_error not being passed correctly to the main error handling page. Also fixed the passing of ODBC errors to the error handling page for better diagnostics of ODBC problems.
  27. Fixed iIMAGESETPIXEL to work as documented.
  28. Fixed iFILE so that the APPEND operation is the default if DATA exists, as documented.
  29. Fixed iPOP to delete messages properly from NT Mail servers such as Post.Office.
  30. Made several changes to the iPAY tag for using CyberCash. iPAY now reports an error if settings are non-existent or invalid. Also, spaces are automatically removed from credit card numbers for hand off to the CyberCash server by the iPAY tag. Registry settings were added for CreditSecret, CreditHost, and CreditPort and can either be set globally under the key HKEY_LOCALMACHINE\SOFTWARE\Inline\iHMTL\CurrentVersion\CyberCash or on a per store basis under the key HKEY_LOCALMACHINE\SOFTWARE\Inline\iHMTL\ CurrentVersion\contexts\store_name\CyberCash. The store_name in the per store settings are taken from the new datasource name you supply while installing a new store. The STORE directive tells iPAY which store_name (datasource name) to use for retrieving settings. If a store-specific Registry entry exists, it overrides the global key. Three other new directives, HOST, SECRET, and PORT, override both the global and store-specific values if they are set.
  31. Added the ESC directive to the iSQL and iHTML tags to prevent the automatic escaping of single quote characters. Set ESC=FALSE to enable this feature.
  32. Added the ## option to the TO directive of iBASECONV where ## is any number between 2 and 36 that can be used as a numerical base.
  33. Added the SEED directive to iRNDNUM to allow the seeding of the random number generator. iHTML already uses known good random seeding algorithms and the SEED directive does not need to be used.
  34. Added CASE and START directives to iSTRIN. The CASE directive forces case sensitivity if set to TRUE. The optional START directive indicates the starting position for finding a match.
  35. Added the DAY directive to iDATEEXT to specify which day of the week to use as the starting point when calculating the number of weeks in a year (TYPE =weekdaysinyear). The default value is Sunday.
  36. Added the GLOBAL directive to iEQ to make the variable global (when set to TRUE). This directive is required to work with global variables that need QUOTE=TRUE or EVAL=TRUE.
  37. Added a new environment variable :i_currentpage to report the name of the file in which the variable resides.
  38. Added the EXPR directive to iIF and iWHILE. The EXPR directive for these tags works similar to the same directive for iEVAL.
  39. Enhanced the set of math operators available to iMATH, iEVAL, and iIF as follows:
    Operator Description
    +, PLUS Add
    -, MINUS Subtract
    *, TIMES Multiply
    /, DIV Divide
    <, LT Less than
    >, GT Greater than
    =, EQ, EQUAL, EQUALS, IS Equal to
    P, POW, POWTEN 10x
    #, NE, NEQ, != Not equal to
    C, COS Cosine (degrees)
    S, SIN Sine (degrees)
    ASIN, ASN Asin
    T, TAN Tan (degrees)
    N, LN Ln
    %, MOD Modulus
    ^, EXP Raised to
    |, OR Or
    &, AND And
    X, XOR XOr
    ! Factorial
    K, GE, GTE, =>, !> >=
    L, LE, LTE, =<, !< <=
    e, EXP, ETOX e to the x
    ACOS, ACS Acos
    ATAN, ATN Atan
    G, LOG Log

iHMTL Merchant Changes in Hot Fix 2.0c (1-Dec-97)

  1. Fixed the handling of single apostrophes on the customer data entry page. PAGE: basket2.ihtml
  2. Enabled https from the checkout button. Note that the correct URL must be in the Merchant admin for this to work correctly. PAGES: ccsecure.ihtml, basket6.ihtml, basket.ihtml
  3. Fixed the cookie path so it is set to work correctly with multiple merchants and the same customer. PAGES: merchant.ihtml, config_required.ihtml, update.ihtml
  4. Fixed pricing layout of products to show precision. PAGE: merchant.ihtml
  5. Fixed problem with globals not being reloaded after a change. PAGE: config_required.ihtml
  6. Fixed problem that prevented banner ads from being added to the Merchant. PAGE: ad_add.ihtml
  7. Removed the hard-coded address in the feedback form ( You can now configure this address on the administration page. PAGE: feedback.ihtml
  8. Added category description to the merchant.ihtml page. PAGE: merchant.ihtml
  9. Fixed problem with unit values not being loaded after changes are saved in product edit. PAGE: prod_edit.ihtml
  10. Fixed problem with taxes being added to the shipping as well as the product price. PAGE: basket5.ihtml
  11. Fixed the ability to turn taxes on or off on a per product basis. PAGES: prod_add.ihtml, prod_edit.ihtml, basket5.ihtml
  12. Added new payment method. You can now use email instead of CyberCash or Internet Secure. PAGES: config_commerce.ihtml, basket5.ihtml, basket3.ihtml, emsecure.ihtml, update.ihtml
  13. Fixed problem of handling of global variables for multiple stores. PAGES: all .ihtml files in the main directory, mainly index.ihtml and header.ihtml
  14. Fixed the BASE+COUNT calculation for quantities of product being ordered that are greater than 1. PAGE: basket5.ihtml
  15. Updated the COPY function in the products menu. PAGE: prod_edit.ihtml
  16. Discovered that by leaving out the protocol when adding banners causes banners to work correctly on secured and non-secured pages.
  17. Added the functionality to send an email to the store administrator when an order is placed via CyberCash. PAGE: ccsecure.ihtml
  18. Changed the secure page method to use a separate URL so that you can turn secure mode on or off as necessary. PAGES: update.ihtml config_required.ihtml basket.ihtml

Changes in Hot Fix 2.0b (12-Nov-97)

  1. Fixed handling of trusted roots that contain IA5TEXT items in the issuer Domain Name (DN). This problem affected users who have purchased Thawte certificates. To implement this fix, you must remove all Thawte trusted roots and replace them with updated ones. You should do so whether or not your server currently has any certificates--from Thawte or from another CA. Follow the steps in the installation instructions for WebSite Pro 2.1 to update the Key Ring with the new Thawte trusted roots.
  2. Updated the master WebSite key file (website-master.key) with correct Thawte trusted roots. If your server currently has no Key Ring (that is, no password and no certificates), the new master key file will be used when you configure a Key Ring database password. See the installation instructions for Hot Fix 2.0b for more details.
  3. Enhanced the virtual server capability by allowing the IP address string to be used to connect to identities bound to an IP address without needing to create a separate identity for the IP address via the Identity Wizard.
  4. Changed the server's response to 400 Bad Request when a connection is via an unknown local IP/host. This change is to conform to RFC 2068.
  5. Changed request handling so that the query string from the Referrer: header field is retained.
  6. Added association parameters to the new internal association map. This addition allows file types to be mapped to a DLL as well as to a parameter string for that DLL. This change arose from the need for associated JavaSoft-style servlets.
  7. Fixed API DLL cache so that when the same DLL is used for direct execute and associated execute it is loaded only once. Previously it was loaded twice.
  8. Changed the service start dependency list to remedy slow start problems when the server was running as a service. The dependency list required RPCSS and NTLMSSP, with NTLMSSP set to automatic start.
  9. Suppressed the display of the WebSite Key Ring database password dialog when the server is running in service/hidden mode. Displaying the password dialog contributed to the slow start problems (see item 8).
  10. Fixed root directory listings of remote NT share or UNC paths. Previously, requests for such directory listings returned a 404 Not Found error. This problem did not occur when the remote share or UNC was on a Win95 system.
  11. Changed automatic directory listings to not display the Parent Directory link unless it leads to a valid URL.
  12. Changed the server so that it will run without an anonymous account. This change was not due to a bug in the server, but is a workaround for a Microsoft bug in the Novell provider (the specific bug is an improper handling of any call to LogonUser(), which is used by anonymous accounts to get an access token). The bug prevents any process using LogonUser() from being able to connect to Novell volumes. If your server's configuration requires access to Novell volumes (either UNC or mounted volumes), you must remove all uses of anonymous accounts (on the Identity tab of Server Properties for a single-identity server or in the Registry for a multiple-identity server). Also note that without an anonymous account the server will not be able to perform any tasks that require the anonymous account including running in NT user contexts. See the WebSite Knowledge Base for specific situations. This workaround will be unnecessary once the Microsoft bug is fixed.
  13. Fixed access control on /~icons and /~wsdocs so that one access restriction applies to all identities, rather than needing to be set for each identity. This fix closes a potential security problem.
  14. Changed the access checking routine for special functions to skip access restrictions for publishing.
  15. Changed the display in 404 Not Found responses to show the native format physical path with \ delimiters. Previously the display incorrectly used / delimiters.
  16. Changed handling of non-SSL requests for SSL-only URLs by redirecting the request transparently to SSL. Previously such requests returned Permission Denied responses.

Changes in Hot Fix 2.0a (26-Sep-97)

  1. We've discovered a Microsoft Visual C++ V5 compiler bug that affects WebSite Pro's SSL feature. If optimization is enabled while compiling the SSL code, the resulting code causes Pro V2's SSL to hang after a short period of time. This hot fix replaces the previous server with one rebuilt with compiler optimization disabled in the SSL code.
  2. Some Registry entries were not being properly created if the selected installation directory for Pro V2 included a space in its name. This bug is fixed in 2.0a.

Additions to the documentation at Initial Release (15-Sep-97) - WebSite Pro V2.0

  1. If you are upgrading from any previous version, note that the way the server handles multiple identities has changed. No longer are identities bound strictly to IP addresses; rather, the server reads the Host: header field sent by the browser to determine the identity for the request. This new feature increases the number of identities you can support with fewer IP addresses. However, if you used IP address and host names interchangeably as references to your web, the IP addresses will fail unless added as specific identities to the server. See Chapter 8 in Mastering the Elements for a complete discussion of multiple identities.

  2. WebSite Pro 2.0's identities can run under specific NT anonymous accounts, with passwords that do not need to be stored. Every time the server is started or reinitialized, it changes the password on each anonymous account to a new random string unique to that account only. Under most conditions, this works well. However, you may want to use a fixed password with an anonymous account for some special need. You can do this by entering the account username and password separated by a colon (acctname:password) into the anonymous account field of the Identity page of the server's property sheet, for example
    See Chapter 10 of Mastering the Elements for a discussion of using the NT anonymous account feature.

  3. When you define an access control point that uses the NT Native realm, the available users and groups are taken from the Windows NT native users and groups. These are taken from the local system and/or the default domain controller, if present. It is not possible to use NT accounts in domains other than the default domain for the system on which the server is running. Of course, you can use locally-defined accounts.

    If the system on which the server is running is part of a domain and also has local accounts, a problem may arise when an account with the same name exists in both places and access control is set for the domain account. The standard NT account search algorithm looks for a local account first, then for an account on the domain controller and uses whichever account it finds first. If a local account is found but it is not authorized for access by the access control point (because the access control point is set for the domain account), access fails. There is no opportunity to try the domain account. You can override this search behavior by entering the fully qualified account name in the standard DOMAIN\USERNAME format (for example, yourdomain\yourname) in the username/password authentication dialog. Specifying the domain forces authentication to use the account on the domain controller.

    See Chapter 10 of Mastering the Elements for a discussion of using the NT Native realm feature.

  4. Shopping basket submissions to ISecure include, as part of the transaction, a reference back to the Merchant site to return the customer back to the Merchant site when the transaction with ISecure is complete. For this feature to work correctly, the URL you enter in the Merchant Site Configuration, Property Config, Site URL field, must be in the following format:   <---[no trailing slash] 
    For example, the sample Merchant comes preconfigured with /~wsdocs/merchant/. To make this sample work properly with ISecure, change the Site URL to

    If you prefer to have the Site URL appear differently, you can also edit the code in the Merchant file basket5.ihtml as follows:

    Change the line

    See Chapter 5 of Creating Dynamic Content for a discussion of iHTML Merchant.

  5. Due to WebSite Pro 2.0's support for impersonation of NT accounts, launching the property sheet from the server icon has been eliminated for security reasons. As a result, the context menu no longer appears when running as a system service.
-- END --

© 1999, O'Reilly & Associates, Inc.