none
How to: SessionMode=SessionMode.Required over HTTPS

    Question

  • Hi there,

     

    I'm trying to understand how WCF sessions work. I'm quite clear with NetTcpBinding.

    What I don't get it BasicHttpBinding and wsHttpBinding.

     

    BasicHttpBinding doesn't support sessions at all.

    wsHttpBinding does support session, but when I enable transport security (HTTPS mode), I get exception that reliable sessions are not supported.

     

    Where am I wrong? Is it generally possible to have sessioned web services over HTTPS?

     

    Thank you in advance

    Friday, June 29, 2007 10:52 AM

Answers

  • We’ve disallowed RM over Https in the standard bindings because the way to secure an RM session is to use a security session and Https does not provide session.

     

    I found the msdn blurb about it here: http://msdn2.microsoft.com/en-us/library/ms733136.aspx

    The blurb is “The only exception is when using HTTPS. The SSL session is not bound to the reliable session. This imposes a threat because sessions sharing a security context (the SSL session) are not protected from each other; this might or might not be a real threat depending on the application.

     

    However you can do it if you determine there is no threat. There is an RM over HTTPS sample via custom binding http://msdn2.microsoft.com/en-us/library/ms735116.aspx

    Friday, June 29, 2007 8:58 PM