WebSite Professional 2.4
Server Build 2.4.9
Property Sheet Build 2.4.9
This is WebSite Professional 2.4. This point release contains
a major upgrade to the cryptographic engine in WebSite. With
this upgrade, WebSite now supports the new Transport Layer
Security (TLS) 1.0 protocol, the successor to SSL 3.0. In
addition, this is the first release of WebSite Pro that
supports the use of client certificates for authentication.
This release also includes all fixes to version 2.0, through
These release notes are cumulative, documenting all changes
made to WebSite Pro 2.0 since its release in September 1997.
The extensive new features introduced in WebSite Pro 2.1
are fully described in the PDF document, "WebSite Professional
2.1 Supplement," which is available at http://software.oreilly.com/techsupport/index_ws.html.
The UpLink publishing utility is documented in its online help.
UpLink is included in the WebSite Pro 2.4 zip file as
uplink_setup.exe. UpLink is provided as freeware to the Internet
community. You may freely copy and redistribute it.
NOTE ABOUT SUPPORT
O'Reilly & Associates provides installation support online
at http://forums.oreilly.com/~website in the Installation Support conference.
O'Reilly accepts no responsibility for UpLink or
its use. Beyond the FAQ at http://website.ora.com/uplink
O'Reilly & Associates provides no technical support for UpLink.
Changes in Point Release 2.4 (15-Dec-1999)
- Major upgrade to cryptographic engine, certificate handling,
and SSL 2.0 and 3.0 protocols, as well as additional ciphers
and hash functions.
- New support for Transport Layer Security (TLS) 1.0 security
- New support for client certificate authentication. See the
lists (below) of new server and CGI variables resulting from
this addition. Note that the server does not make access
control decisions based on supplied certificates. This must
be done within a CGI/WSAPI/ISAPI application or using a
WSAPI authentication DLL.
- New support for exporting public and private key pairs and
trusted roots. This support is available from the Key Ring
tab in Server Properties.
- A folder of trusted roots has been placed in the
WebSite\Admin folder for convenience in updating trusted
- The property sheet now allows for creation/deletion and
certification of key pairs over and over without requiring
that you close and reopen the property sheet.
- WSAPI is now at version 1.3, reflecting the addition of cert
items to the TCTX. Older extensions will work with this new
version if they version-bind leniently. See the list below.
- Windows CGI is now at version 1.4, reflecting the addition
of cert items in a new [crypto] section. Older Windows CGI
programs will work with this new version. See the list below.
- Standard CGI is now at 1.4 reflecting the addition of cert
items in the environment variables. See the list below.
- The server has two new server-side content types for
handling non-existent files: wwwserver/isapi-x and
wwwserver/wsapi-x. These new content types pass through
non-existent files, providing functionality for advanced
features for files of these types without disrupting
current support for other files that require checking. The
wwwserver/?sapi content types generate 404 messages as
in earlier versions of WebSite.
- ISAPI ISA extension handshakinng is now lenient. It will
allow an ISA with any version to bind to WebSite Pro. If
the ISA uses advanced ISAPI features not supported by
WebSite, an error will be logged.
- iHTML is updated to 2.18; see http://www.ihtml.com/support
for the latest version of iHTML and iHTML Merchant.
New TCTX items for WSAPI 1.3 in WebSite 2.4
// Additional remote (client) identity
BOOL bClientAuth; // TRUE if client suth succeeded
BOOL bTrustInvalid; // TRUE if no trusted root for the cert
char *remote_cert_subject; // Subject DN (RFC1485, alloc)
char *remote_cert_issuer; // Issuer DN (RFC1485, alloc)
int remote_cert_keysize; // Public key size, bits (e.g., 512, 1024)
char *remote_cert_serial; // Serial number, hex (alloc)
time_t remote_cert_begin; // Cert validity begin (CRT time)
time_t remote_cert_end; // Cert expiration (CRT time)
char *remote_cert_status; // Status (e.g., "REVOKED", alloc)
BYTE *remote_cert; // Raw cert BER
DWORD remote_cert_len; // Length of cert BER
// Server Cert info
char *local_cert_subject; // Subject DN (RFC1485, alloc)
char *local_cert_issuer; // Issuer DN (RFC1485, alloc)
int local_cert_keysize; // Public key size, bits (e.g., 512, 1024)
// SSL/TLS connection
int data_keysize; // Data cipher key size, bits (e.g., 40, 128)
New WSAPI/ISAPI server variables for WebSite Pro 2.4
The following new server variables are described in the IIS/ISAPI
documentation. We tried to follow this as closely as possible,
but there may be minor differences in formatting. Some items may
be empty; for example, if there was no client (cert) auth, then
the client cert items will be empty. The CERT_FLAGS item tells
whether the client cert was used, and if it was validated against
one of WebSite's trusted roots. These variables are available by
name to WSAPI and ISAPI extensions via GetServerVariable().
New Windows CGI variables for WebSite Pro 2.4
These are put into a new [crypto] section of the INI file:
SecureConnection ("Yes" or "No")
ServerCertSubject RFC1485 format
ServerCertIssuer RFC1485 format
ServerCertKeysize (string, e.g., "512", "1024")
DataKeysize (string, e.g., "128", "40")
ClientCertSubject RFC1485 format
ClientCertIssuer RFC1485 format
ClientCertKeysize (string, e.g., "512", "1024")
ClientCertSerial (hex string)
ClientCertStatus (string, e.g., "EXPIRED")
ClientCertTrusted ("Yes" - "No", if trusted root present)
ClientCertValid (HTTP-standard date-time, cert valid time)
ClientCertExpires (HTTP-standard date-time, cert exp time)
New Standard CGI variables (no new DOS CGI vars!!)
HTTPS ("ON" or "OFF")
HTTPS_SERVER_SUBJECT RFC1485 format
HTTPS_SERVER_ISSUER RFC1485 format
HTTPS_SECRETKEYSIZE (string, e.g., "512", "1024")
HTTPS_KEYSIZE (string, e.g., "128", "40")
HTTPS_CLIENT_SUBJECT RFC1485 format
HTTPS_CLIENT_ISSUER RFC1485 format
HTTPS_CLIENT_SECRETKEYSIZE (string, e.g., "512", "1024")
HTTPS_CLIENT_SERIALNUMBER (hex string)
HTTPS_CLIENT_STATUS (string, e.g., "EXPIRED")
HTTPS_CLIENT_TRUSTED ("YES" - "NO", if trusted root is present)
HTTPS_CLIENT_VALID (HTTP-standard date-time, cert valid time)
HTTPS_CLIENT_EXPIRES (HTTP-standard date-time, cert exp time)
Changes in Hot Fix 2.3.18 (9-Sep-99)
- Large HTTP methods will now cause a 500 server error (buffer
too small in getword()) and the server will continue to operate.
- All control characters are now removed from the URL and Referer
fields prior to logging. Spaces are retained.
- HTTP/0.9 requests are now logged.
- IP-based virtual server support now works for HTTP/0.9. Note
that IP-less virtual servers cannot be supported as HTTP/0.9
does not provide headers and the Host: header is required for
IP-less virtual server support.
- Fixed file descriptions from HTML in directory listings. The
HTML title will be used if the ... tags fall
within the first 1023 characters, regardless of line breaks.
- Increased the number of hostnames WebSite Pro can support to
- Fixed SSI.DLL so it will not cause an access violation on a
query string with a name and no value.
- Removed the dependencies for the Registry key LogKeepCycles.
Since release 2.2 this value has not been used and the
dependencies were unnecessary. See the release notes for
Release 2.2 (items #2-3) for an explanation of the log
- QuickStats is now Y2K compliant.
Changes in Hot Fix Release 2.3.15 (25-Nov-98)
- Fixed an authentication problem with release 2.3.14.
Changes in Point Release 2.3.14 (20-Nov-98)
- Fixed a small memory leak that occurred with ISAPI requests.
- The working thread "limit" has been increased to 20,480.
Changes in Point Release 2.3.10 (22-Oct-98)
- This version now supports multiple certificates on one web
server that were created with different key strengths.
Changes in Point Release 2.3.9 (08-Oct-98)
- Remove any newlines in Referer:, User-Agent:, etc. prior
to logging. (see #23 in 2.2 release notes, this item was not
fully implemented in 2.2, fixed in release 2.3.8)
- Domestic server only. Changed the SSL library functions such
that an export browser can succesfully negotiate a step-down
when establishing an SSL connection with a full strength server.
Changes in Point Release 2.3.7 (14-Jul-98)
- Reversed a change to the logging logic and Windows Log Format such that the local host name is logged,
rather than the Host: header sent by the browser.
- Fixed a bug in ssi.dll where query strings in exec'd cgi applications were not being cleared out.
- Increased the stack allocation in WebFind to handle extremely large results.
- Replaced an incorrectly shipped (in 2.3) debug build of index.exe with the correct build.
- Added online help for Server Properties.
Changes in Point Release 2.3 (01-Jul-98)
- Changed handling of HTTP requests with a Host: header field. If an HTTP request contains a
Host: header field, the hostname value is now always used for URL fix-up, as the SERVER_NAME CGI
variable, in the various Java classes that encapsulate the current request's hostname, and as the
value of other variables that store the hostname of a request.
- Changed the form of HTTP-compliant date/time strings generated by the
server. Such places as the Date: header field and common/combined log
entries now always contain the English form of the abbreviated month
and day-of-week names. This is required by HTTP/1.0 and HTTP/1.1.
- Changed how the server handles requests containing extra header fields
with no value strings. The server no longer traps on such requests.
The server is still strict in its testing of standard header fields.
- Revised the Windows Log Format. The new version is 1.1. The only
change is to the date/time field. In the past, this field was allowed to
vary with Regional Settings and operating system language/locale
characteristics. Beginning with this version, the date and time fields in
the Windows Log Format are fixed. The format is:
If you are using the Windows Log Format, you should cycle your log files
before installing WebSite Pro version 2.3. You may also need to make
changes in your log analyzing program settings.
- Modified QStats to read the Windows Log Format version 1.1.
- Fixed a sporadic bug in swish.dll (affecting WebFind) that would cause a search in document titles only to return incorrect results.
- Enhanced WebFind. It now displays the number of matching documents found and more descriptive error messages when a keyword is too common or not found.
- Included a new tool, WSVersion, to assist users and tech support with tracking the versions of installed components.
- Added a new setting for people who are using an ASP document as their
default (index) document and experience problems with ASP during server cold-startup. You can now instruct the server to wait for a specified time before accepting connections. This is a workaround for the ASP bug where asp.dll says it's ready for action before it really is. The startup delay value is stored in the Registry:
CurrentVersion StartupDelay:REG_BINARY:00 00 00 00
The default is no delay at cold startup. To specify a delay setting
for the StartDelay value, enter a delay time in milliseconds. Note that
this value obeys the usual binary conventions for REG_BINARY values.
For example, 30 sec. is 30000 milliseconds, or 7530 hex, so the setting
in the Registry should be 30 75 00 00. If you don't know what setting
to use (and don't mind a 30 second delay on cold start), just use the above
value for 30 seconds.
- Fixed a security hole caused by Windows that would allow a file to be
opened and served improperly, exposing the source of in-line executable
iHTML Changes in Point Release 2.3; iHTML version 2.15; Merchant 1.04
Please refer to the documenatation installed in
Changes in HotFix 2.2a (11-Apr-98)
This hot-fix addresses three problems that came to our attention shortly
after the release of version 2.2. No new features have been added. The
problems fixed in this release are:
- The server stops without logging any problems when the Referer: header
field exceeds "a few hundred bytes" and the target URL is not found (404)
or forbidden for access (403).
- The server stops without logging any problems when an ISMAP imagemap
request is received, the click is outside any of the defined hot-spot
regions, and there is no Default entry in the imagemap (.map) file.
- On Windows NT, the total size of the shell environment block was too
small to execute a standard CGI program. This would occur, for example,
when the Referer: header field is "large". The environment size limit has
been increased to 64K bytes.
- This release also adds a new content type mapping for Adobe Form Definition
Changes in Point Release 2.2 (10-Feb-98)
- Changed handling of requests containing a Host: header field with a
hostname that is not configured as an identity. Such requests are now
routed to the identity that is bound to the IP address on which the
request was received. This makes it possible to use CNAME DNS records in
the same way they were used before introduction of IP-less multi-homing.
If there are no identities bound to the IP address on which the request
was received, the server returns an error.
- Added support for automatic log file cycling. See the Logging tab of
Server Properties for changes. Cycling can take place daily at any
hour, weekly, or monthly. In addition, cycling can take place
when a log file reaches a configured size.
- Changed naming of cycled-out log files. They are now named using the date
(in local time) at which the file was cycled. The format is:
where YYYY is the 4 digit year, MM is the 2 digit month, DD is the 2
digit day, and N is a sequence number, which gets bumped for each
cycle within a day. This naming scheme works with the WebTrends macro
language, which has substitution tokens for numeric parts of a date in
- Added the ability to disable access logging completely by erasing the
access log pathname on the Logging tab of Server Properties. You no
longer need to (nor should you) use NUL:. Erasing the path name causes
the server to completely skip its internal logging logic.
- Improved WebView. You can now create new identities from the left tree.
Startup time on a server with many virtual servers is reduced
dramatically. Memory consumption is reduced. Search speed is increased,
and there are many other small improvements.
- Added a way to create access control points from WebView. At the
mapping level and below, Access Control and Publish Control replace
"properties." Selecting these opens Server Properties to the appropriate
tab, with the *nearest applicable* access control point selected. If
there is no access control point for the exact path, you can add one
by clicking New, and the New Protected Path dialog appears with the
exact path in the URL Path text box.
- Added a Registry entry for the text of the 503 Too Busy response,
which you can now configure by editing the Registry at:
- Added the ability to disable exact date/time matching for the
"If-Modified-Since:" feature of HTTP and replace it with the inexact
algorithm specified in the HTTP specification. To disable exact
matching, edit the Registry as follows:
Exact IfModSince:REG_BINARY:00 00 00 00
The following value enables it:
Exact IfModSince:REG_BINARY:01 00 00 00
- Added a GUI for adjusting the heap and stack limits on WebSite Pro's
embedded Java virtual machine. The new Advanced button on the Java tab
of Server Properties opens the JRun advanced settings sheet.
- The server now rejects any HTTP request that contains a URL path
without a leading '/index.html'.
- Changed the 204 response, which now has no content. This conforms to
the HTTP/1.1 specifications.
- Changed server-generated directory listings so that the table/plain
mode is preserved when moving up and down between directories in a
- Changed password requirements for a newly created key ring. You are now
required to enter a password. The Cancel button is dimmmed in this case.
- Changed the response to a request for a non-existent object in an
access controlled path to return "access denied" instead of "not found."
- Changed the Windows Log Format so it generates date/time strings that
follow the settings in the Regional Settings control panel (see also item 39 below).
- Added the logging of 404 Not Found errors to error.log under all
- Added the logging of 503 Too Busy errors to error.log.
- Added the logging of 400 Bad Request errors resulting from connecting to
an unknown identity to access.log and error.log.
- Deleted the "trans proc" counter. It was too difficult to make this
one hundred percent accurate.
- Disabled "Implicit matching" in IP filtering. You are now required
to use '*' and '?' for pattern matching.
- Added to the HTTP header parsing engine the ability to catch really
corrupt requests, and return a 400 Bad Request, along with some hint of
the illegal junk in the header. This was added to handle garbage
Cookie: header fields being sent by some old browsers.
- Fixed a fencepost error in redirection mapping introduced in 2.1.
- Now remove any newlines in Referer:, User-Agent:, etc. prior
- Fixed the return from PUT to an existing file to return 200 OK instead
of 201 Created.
- Fixed the long-standing "odd" behavior of the task tray menu.
- Corrected the Perl and Python language names on the ASP tab of Server
- Fixed the Mapping tab so that the alert "You have unsaved changes..." no
longer appears at strange times.
- Improved the ASP tab in Server Properties. In checking for the presence
of ASP 1.0, if ASP 2.0 (unsupported) is installed, the ASP tab no longer
reports a strange Registry error.
- Fixed the Java tab on Server Properties. All controls are disabled
unless the WebSite Java Servlet SDK is installed.
- Added support for either ';' or ',' to separate default
document match patterns (e.g., "index.*,default.*" is legal now).
- Added Association and Content-type mappings for .stag files used
by the <servlet> tag.
- Removed a limit on the number of virtual servers that could be handled
by WebView, WebIndex and QuickStats.
- Changed WebIndex so it indexes the Title (not just the filename) of .cfm,
.dbm, .dbml, .htm, .html, .html-ssi, .ihtml, .shtml, and .ssi files.
- Fixed the WebSite Java Servlet SDK WebSite.Cookie class so that the
maxAge property is in seconds (as opposed to milliseconds).
The WebSite.Servlet API is now at version 1.2.
- Uncaught exceptions in WebSite type servlets now log the exception
information (including the stack traceback) into the WSJava.log file.
- Added the "Allow creation of directories" security option to the Publish
Control. Unless this is turned on, the server will prohibit creation of
directories as part of PUT operations to affected URL paths.
- Changed the limit on the maximum number of worker threads to 1024.
Previously, it was incorrectly set to 256.
- Fixed the WebSite.Servlet API to handle HTTP requests that have no
Accept: header, or an empty one.
- Added the option for WinLogFormat to use either the default Local
System date format or to use the user date format settings in
Control Panel. Note that when using the Control Panel setting,
if no user is logged in, the server reverts to using Local System
Default. This means if WebSite is running as a service, and users
log on and off, the date format in the log may change.
WinLogSystemDate:REG_BINARY:01 00 00 00 (use local system default)
WinLogSystemDate:REG_BINARY:00 00 00 00 (use Control Panel settings)
- The JRun Java Servlet kit has been updated:
- Adds support for JDK 1.2 version of the Servlet API 1.1
- Adds persistent session tracking capability
- Adds support for Servlet pooling (SingleThreadModel interface)
- JFC 1.1 based administration application/applet for remote admin capabilities of servlets
New Registry Data in Version 2.2
Exact IfModSince:REG_BINARY: (4 bytes)
WinLogSystemDate:REG_BINARY: (4 bytes)
CycleInterval:REG_BINARY: (4 bytes)
CycleSize:REG_BINARY: (4 bytes)
MaxNativeStack:REG_BINARY: (4 bytes)
MaxJavaStack:REG_BINARY: (4 bytes)
MaxJavaHeap:REG_BINARY: (4 bytes)
iHTML Changes in Point Release 2.2; iHTML version 2.12
- Improved speed in various areas and improved stability on Windows 95.
- Added the <iMULTIPART> tag to handle multiple part form uploads.
- Added the ability to upload forms and files on a single page.
- Changed <iHTTP> so it now sends Host: header fields.
- Added a new environment variable :i_currentpage to report the name of the
file in which the variable resides. (Missed previous release.)
- Added a feature to allow you to disable tags (see "New Registry
- Integrated GENSCK32.DLL with the main DLL to get rid of the message
window and more tightly integrate the code.
- Changed handling of GET methods on iHTML pages. These are now converted
to POST methods automatically. A Registry setting allows you to turn off
this feature if necessary (see LEAVEGET in "New Registry Settings" below).
- Added == as a new method to evaluate tags within tags. This can be used
like the EVAL=TRUE directive on <iEQ> to evaluate tags within tags such
as on the OUTPUT directive of <iHTML>.
- Improved error handling as follows:
- Improved handling of FATAL exceptions to prevent server crash.
- Enhanced the ihtml.log file with more diagnostic information.
Forward any ihtml.log files with an exception to firstname.lastname@example.org
with the page that caused the error for analysis and resolution.
- Added a new, more comprehensive log file to allow more detailed tracking
of errors occurring on the server. See ERRORLOGPATH in "New
Registry Settings" below).
- Fixed error reporting for tag set (tags that have ending pieces,
for example, </iMAIL>, </iIF>, </iWHILE>, </iLOOP>).
- Added error code 760 for colon variables in incorrect places.
- <iISDATE> now returns the correct result.
- Fixed <iCONTENT>, which was not keyed and wouldn't work.
- <iRANDOM> now works on the default connection.
- <iDATEEXT> now reports DAYOFYEAR and DAYSINYEAR correctly for 12/31/96
and calculates leap years.
- <iGETMIMEFILE> and <iGETMIMENAME> now work for file uploads.
- <iERROR> block no longer gets chopped off, causes errors, gets
double results, or outputs garbage text in certain situations.
- <iCOUNTER> works as it did in the shipping 2.1.
- <iLINK src="mailto:email@example.com"> now works as expected.
- <iPING> no longer gives an exception if used on a non-existant server.
- <i_pop_cc> returns the entire string of email addresses for all
- <iMAIL> works correctly with all sets of DLLs.
- K and L now work properly in <iIF> with the EXPR directive.
- <iPOPFETCH> now works correctly with LOAD=FALSE.
- Date functions now accept dates after 2035.
- Fixed <iSQL> timeout errors.
- SCHEDULE.MDB file imcrements the Next field correctly.
- <iEVAL> now works with a negative number.
- Added more error checking to <iMAIL>.
- <iSTRSPAN> no longer cuts off the last character.
- <iISDEF> no longer reports TRUE if the variable is defined as itself.
- <iPOPHEADERS> no longer cleans out previous message headers before
getting next message data.
- <iEVAL> reports error 500 if a divide by zero occurs.
- <iCGI> now reports error codes properly.
- <iDATEDIFF> no longer returns odd numbers.
- <iSTOP> now stops in all cases.
- Fixed <iEVAL>, which was causing problems with expressions like 25 - -25.
- Fixed <iBPPE> problem that caused it to seem not to start running.
- The <iHTML> BREAKONOUTPUT directive now breaks even if it is in an
- Fixed <iPOPFETCH> so it no longer crashes the server when deleting a large
- Fixed <iDIR>, which was causing an exception.
- Fixed problem with uploading GIF files.
- <iPING> now returns -1 if a domain is not found instead of 20, as
New iHTML version 2.12 Registry Settings
Added the following new string value Registry settings to the key
- COLNUMBERS - Determines whether to generate result columns as numbers
in the database related tags. The Registry setting is used as the
default for the NUMBERS= setting of those tags. Default is TRUE.
- TAGPEEK - Specifies how many tags the parser should look at when
looking for the tag. The default is 150. It may be set as low as
8 and still react to <!ihtml> at the start of the file. If set to 0, iHTML
doesn't bother looking for a <!ihtml> tag, and parses the file anyway.
- SINGLET - Sets single thread operation. Default is FALSE. If set to
TRUE, the server may deadlock if a single iHTML page uses 2 iHTTP tags
to talk to the same server.
- FLUSHSTMT - Allows SYBASE users to flush the result set when encountering
</iSQL>. FALSE is the default. Change to TRUE for Sybase.
- LEAVEGET - Disables conversion of GET method to POST method on <FORM>
tags. The default is TRUE.
- ERRORLOG - Turns error logging on and off. Set to TRUE or FALSE.
- ERRORLOGPATH - Sets the path and filename for the file in which to store all
tag ERROR conditions with diagnostic information.
- COOKIECASE - Used to enable case sensitivity on cookie names generated and
read by iHTML. The default is FALSE.
- Added the subkey /ERRORS with the string value setting E760. Turns off 760
error checking when set to false.
- Added the subkey /DISABLETAGS - You can add any of the following as settings
under this key:icgi,icopyfile, iconfig, idownload, ifile, ifileinfo,
ifiletransfer,iftp, igetmimefile, igetmimename, iregkey, iregval, isvc,
itelnet. Each setting corresponds to the tag of the same name. Set the string
value to true to disable the tag.
Changes in Point Release 2.1 (15-Dec-97)
- For a complete description of the new features affecting the
administration, security, and development environments of WebSite Pro,
see the accompanying PDF documentation, "WebSite Professional 2.1
- Fixed a bug that caused wildcard redirects on URL paths to work
incorrectly. A wildcard functioned correctly when it was preceded
by a path branch (for example, /a/b/*) but failed when it was used in
the middle of a string (for example, /a/b/ab*). This bug was introduced
prior to WebSite Pro 2.0's release. Previously, wildcard redirects
had worked properly.
- Fixed byte-range support for Adobe Acrobat 3.01. This new version of
Acrobat generates very large byte-range specifications.
- Fixed Publishing control authentication under Windows 95.
- Allowed PUT for imagemap files (for wwwserver/imagemap files). These
files are no longer considered executable.
iHTML Changes in Hot Fix 2.0c (1-Dec-97)
- Fixed iIMAGE tags that were improperly defaulting to GIF. They now
default to JPEG.
- Fixed the iDIR tag to work properly on the last item in a directory.
- Fixed iPOP and iEVAL to prevent crashing if a required directive is
missing. Some other tags had this same problem and have been fixed.
- Turned off logging to prevent the creation of large GHOOK.LOG files
by graphics filters. Logging will be an option in future releases.
- Fixed iDATE and all other date/time related tags that were reporting
incorrect results on dates including 08.
- Added error checking so that dates with invalid entries, such as 32
days in a month or pre-1970, generate error conditions.
- Fixed iPOP to not generate an exception when a bad username and
password is encountered.
- Fixed iEVAL to calculate properly when there are redundant brackets.
- Fixed iSTRJUST to work with strings longer than the LEN directive.
- Fixed iERROR to allow it to be used for errors in nested loops or
- Fixed iMAIL to work if directives other than ADDRESS are first.
- Fixed a problem with variables ending in a - or _ not being properly
- Changed iHTML cookies to be case insensitive. This change corrects
a problem encountered when cookies were set as uppercase and read
as lowercase, which prevented updating of cookie information.
- Fixed the iFILE tag START directive to use the specified value.
Previously, this directive would always use 0.
- Fixed iCGI tag for Windows NT. Note that the Windows 95 architecture
will not support this tag.
- Added new directives KILL and TIMEOUT to the iCGI tag.
- Added a workaround for a Microsoft ODBC/OLE bug that caused 998
(OleMainThreadWndName) Error and other OLE/ODBC errors that locked
up any program using DDE/OLE for communications (such as Eudora and
Photoshop). Note that this workaround slows down iHTML slightly.
- Enabled <#ihtml> to be used in place of <!ihtml>. This change allows
FrontPage to work with the normal special <!ihtml> tag. Note that the
<!ihtml> or <#ihtml> MUST be in the first 100 bytes of the file to be
recognized. This change improves the speed of iHTML.
- Fixed a problem with displaying a date or using the iTIME tag within
an iSQL tag structure. Previously, this usage would give unpredictable
results when the times had numbers in the low teens and the database
result table had at least 10 result columns. For example, 11:12:13
would resolve to :12 and :13 as the result columns. To get around this
potential problem, use an ALIAS in the iSQL tag. In addition, you can
use the new NUMBERS directive, which defaults to TRUE. Setting NUMBERS
to FALSE causes :# variables not to be created for the result set.
- Fixed conditions that caused Document Contains No Data errors under
- Fixed iRANDOM and iTIMESLOT tags to return a blank string rather than
generate an error if the tables they referenced were empty. This was a
problem with Merchant if all the advertisements are deleted.
- Fixed iISDIGIT and iISALPHA to return FALSE if the SRC="" . Previously,
this condition returned TRUE.
- Fixed date functions to return dates based on a one-based year. Previously,
these used a zero-based year (for example, Jan 1st is day 0).
- Fixed ENTMAN.EXE and iBPPE.EXE to recognize the time ranges for the back
page processor. Previously these ranges were ignored. In addition, you
can modify the SCHEDULE.MDB file so the interval is a LONG instead of an
INT so larger intervals are possible.
- Error messages from iHTML are now entered into WebSite Pro 2.0's server
- Fixed a problem with i_error not being passed correctly to the main
error handling page. Also fixed the passing of ODBC errors to the
error handling page for better diagnostics of ODBC problems.
- Fixed iIMAGESETPIXEL to work as documented.
- Fixed iFILE so that the APPEND operation is the default if DATA exists,
- Fixed iPOP to delete messages properly from NT Mail servers such as
- Made several changes to the iPAY tag for using CyberCash. iPAY now
reports an error if settings are non-existent or invalid. Also, spaces
are automatically removed from credit card numbers for hand off to the
CyberCash server by the iPAY tag. Registry settings were added for
CreditSecret, CreditHost, and CreditPort and can either be set globally
under the key HKEY_LOCALMACHINE\SOFTWARE\Inline\iHMTL\CurrentVersion\CyberCash
or on a per store basis under the key HKEY_LOCALMACHINE\SOFTWARE\Inline\iHMTL\
CurrentVersion\contexts\store_name\CyberCash. The store_name in the per
store settings are taken from the new datasource name you supply while
installing a new store. The STORE directive tells iPAY which store_name
(datasource name) to use for retrieving settings. If a store-specific
Registry entry exists, it overrides the global key. Three other new
directives, HOST, SECRET, and PORT, override both the global and
store-specific values if they are set.
- Added the ESC directive to the iSQL and iHTML tags to prevent the automatic
escaping of single quote characters. Set ESC=FALSE to enable this feature.
- Added the ## option to the TO directive of iBASECONV where ## is any number
between 2 and 36 that can be used as a numerical base.
- Added the SEED directive to iRNDNUM to allow the seeding of the random number
generator. iHTML already uses known good random seeding algorithms and the
SEED directive does not need to be used.
- Added CASE and START directives to iSTRIN. The CASE directive forces case
sensitivity if set to TRUE. The optional START directive indicates the
starting position for finding a match.
- Added the DAY directive to iDATEEXT to specify which day of the week to
use as the starting point when calculating the number of weeks in a year
(TYPE =weekdaysinyear). The default value is Sunday.
- Added the GLOBAL directive to iEQ to make the variable global (when set to
TRUE). This directive is required to work with global variables that need
QUOTE=TRUE or EVAL=TRUE.
- Added a new environment variable :i_currentpage to report the name of the
file in which the variable resides.
- Added the EXPR directive to iIF and iWHILE. The EXPR directive for these
tags works similar to the same directive for iEVAL.
- Enhanced the set of math operators available to iMATH, iEVAL, and iIF as
|=, EQ, EQUAL, EQUALS, IS
|P, POW, POWTEN
|#, NE, NEQ, !=
||Not equal to
|K, GE, GTE, =>, !>
|L, LE, LTE, =<, !<
|e, EXP, ETOX
||e to the x
iHMTL Merchant Changes in Hot Fix 2.0c (1-Dec-97)
- Fixed the handling of single apostrophes on the customer data
- Enabled https from the checkout button. Note that the correct
URL must be in the Merchant admin for this to work correctly.
PAGES: ccsecure.ihtml, basket6.ihtml, basket.ihtml
- Fixed the cookie path so it is set to work correctly with
multiple merchants and the same customer.
PAGES: merchant.ihtml, config_required.ihtml, update.ihtml
- Fixed pricing layout of products to show precision.
- Fixed problem with globals not being reloaded after a change.
- Fixed problem that prevented banner ads from being added to
- Removed the hard-coded address in the feedback form
(firstname.lastname@example.org). You can now configure this address on
the administration page.
- Added category description to the merchant.ihtml page.
- Fixed problem with unit values not being loaded after changes
are saved in product edit.
- Fixed problem with taxes being added to the shipping as well
as the product price.
- Fixed the ability to turn taxes on or off on a per product basis.
PAGES: prod_add.ihtml, prod_edit.ihtml, basket5.ihtml
- Added new payment method. You can now use email instead of
CyberCash or Internet Secure.
PAGES: config_commerce.ihtml, basket5.ihtml, basket3.ihtml,
- Fixed problem of handling of global variables for multiple stores.
PAGES: all .ihtml files in the main directory, mainly index.ihtml
- Fixed the BASE+COUNT calculation for quantities of product being
ordered that are greater than 1.
- Updated the COPY function in the products menu.
- Discovered that by leaving out the protocol when adding banners
causes banners to work correctly on secured and non-secured pages.
- Added the functionality to send an email to the store administrator
when an order is placed via CyberCash.
- Changed the secure page method to use a separate URL so that you
can turn secure mode on or off as necessary.
PAGES: update.ihtml config_required.ihtml basket.ihtml
Changes in Hot Fix 2.0b (12-Nov-97)
- Fixed handling of trusted roots that contain IA5TEXT items
in the issuer Domain Name (DN). This problem affected users
who have purchased Thawte certificates.
To implement this fix, you must remove all Thawte trusted roots
and replace them with updated ones. You should do so whether
or not your server currently has any certificates--from Thawte
or from another CA. Follow the steps in the installation
instructions for WebSite Pro 2.1 to update the Key Ring with
the new Thawte trusted roots.
- Updated the master WebSite key file (website-master.key)
with correct Thawte trusted roots. If your server currently
has no Key Ring (that is, no password and no certificates),
the new master key file will be used when you configure a
Key Ring database password. See the installation instructions
for Hot Fix 2.0b for more details.
- Enhanced the virtual server capability by allowing the IP
address string to be used to connect to identities bound to
an IP address without needing to create a separate identity
for the IP address via the Identity Wizard.
- Changed the server's response to 400 Bad Request when a
connection is via an unknown local IP/host. This change
is to conform to RFC 2068.
- Changed request handling so that the query string from the
Referrer: header field is retained.
- Added association parameters to the new internal association
map. This addition allows file types to be mapped to a DLL
as well as to a parameter string for that DLL. This change
arose from the need for associated JavaSoft-style servlets.
- Fixed API DLL cache so that when the same DLL is used for
direct execute and associated execute it is loaded only
once. Previously it was loaded twice.
- Changed the service start dependency list to remedy slow
start problems when the server was running as a service.
The dependency list required RPCSS and NTLMSSP, with NTLMSSP
set to automatic start.
- Suppressed the display of the WebSite Key Ring database
password dialog when the server is running in service/hidden
mode. Displaying the password dialog contributed to the slow
start problems (see item 8).
- Fixed root directory listings of remote NT share or UNC
paths. Previously, requests for such directory listings
returned a 404 Not Found error. This problem did not
occur when the remote share or UNC was on a Win95 system.
- Changed automatic directory listings to not display the
Parent Directory link unless it leads to a valid URL.
- Changed the server so that it will run without an anonymous
account. This change was not due to a bug in the server, but
is a workaround for a Microsoft bug in the Novell provider
(the specific bug is an improper handling of any call to
LogonUser(), which is used by anonymous accounts to get an
access token). The bug prevents any process using LogonUser()
from being able to connect to Novell volumes. If your server's
configuration requires access to Novell volumes (either UNC or
mounted volumes), you must remove all uses of anonymous accounts
(on the Identity tab of Server Properties for a single-identity
server or in the Registry for a multiple-identity server).
Also note that without an anonymous account the server will not
be able to perform any tasks that require the anonymous account
including running in NT user contexts. See the WebSite Knowledge
Base for specific situations. This workaround will be unnecessary
once the Microsoft bug is fixed.
- Fixed access control on /~icons and /~wsdocs so that one
access restriction applies to all identities, rather than
needing to be set for each identity. This fix closes a
potential security problem.
- Changed the access checking routine for special functions
to skip access restrictions for publishing.
- Changed the display in 404 Not Found responses to show
the native format physical path with \ delimiters.
Previously the display incorrectly used / delimiters.
- Changed handling of non-SSL requests for SSL-only URLs
by redirecting the request transparently to SSL.
Previously such requests returned Permission Denied
Changes in Hot Fix 2.0a (26-Sep-97)
- We've discovered a Microsoft Visual C++ V5 compiler bug
that affects WebSite Pro's SSL feature. If optimization
is enabled while compiling the SSL code, the resulting code
causes Pro V2's SSL to hang after a short period of time.
This hot fix replaces the previous server with one rebuilt
with compiler optimization disabled in the SSL code.
- Some Registry entries were not being properly created if
the selected installation directory for Pro V2 included a
space in its name. This bug is fixed in 2.0a.
Additions to the documentation at Initial Release (15-Sep-97) - WebSite Pro V2.0
-- END --
If you are upgrading from any previous version, note that
the way the server handles multiple identities has changed.
No longer are identities bound strictly to IP addresses;
rather, the server reads the Host: header field sent by the
browser to determine the identity for the request. This new
feature increases the number of identities you can support
with fewer IP addresses. However, if you used IP address and
host names interchangeably as references to your web, the
IP addresses will fail unless added as specific identities
to the server. See Chapter 8 in Mastering the Elements for
a complete discussion of multiple identities.
WebSite Pro 2.0's identities can
run under specific NT anonymous accounts, with passwords that
do not need to be stored. Every time the server is started or
reinitialized, it changes the password on each anonymous account
to a new random string unique to that account only. Under most
conditions, this works well. However, you may want to use a fixed
password with an anonymous account for some special need. You can
do this by entering the account username and password separated
by a colon (acctname:password) into the anonymous account field
of the Identity page of the server's property sheet, for example
See Chapter 10 of Mastering the Elements for a discussion of
using the NT anonymous account feature.
When you define
an access control point that uses the NT Native realm, the
available users and groups are taken from the Windows NT native
users and groups. These are taken from the local system and/or
the default domain controller, if present. It is not possible to
use NT accounts in domains other than the default domain for the
system on which the server is running. Of course, you can use
If the system on which the server is running is part of a domain
and also has local accounts, a problem may arise when an account
with the same name exists in both places and access control is set
for the domain account. The standard NT account search algorithm
looks for a local account first, then for an account on the domain controller and uses whichever account it finds first. If a local
account is found but it is not authorized for access by the access control point (because the access control point is set for the domain account), access fails. There is no opportunity to try the domain account. You can override this search behavior by entering the fully qualified account name in the standard DOMAIN\USERNAME format (for example, yourdomain\yourname) in the username/password authentication
dialog. Specifying the domain forces authentication to use the account
on the domain controller.
See Chapter 10 of Mastering the Elements for a discussion of
using the NT Native realm feature.
Shopping basket submissions
to ISecure include, as part of the transaction, a reference back
to the Merchant site to return the customer back to the Merchant
site when the transaction with ISecure is complete. For this
feature to work correctly, the URL you enter in the Merchant
Site Configuration, Property Config, Site URL field, must be in
the following format:
http://domain.name/merchant_directory <---[no trailing slash]
For example, the sample Merchant comes preconfigured with
/~wsdocs/merchant/. To make this sample work properly with ISecure, change the Site URL to
If you prefer to have the Site URL appear differently, you can
also edit the code in the Merchant file basket5.ihtml as
Change the line
<INPUT TYPE="HIDDEN" NAME="ReturnCGI"
<INPUT TYPE="HIDDEN" NAME="ReturnCGI"
See Chapter 5 of Creating Dynamic Content for a discussion of
- Due to WebSite Pro 2.0's support for impersonation of NT accounts,
launching the property sheet from the server icon has been eliminated
for security reasons. As a result, the context menu no longer appears
when running as a system service.
© 1999, O'Reilly & Associates, Inc.