Friday, June 29, 2007 10:52 AM
I'm trying to understand how WCF sessions work. I'm quite clear with NetTcpBinding.
What I don't get it BasicHttpBinding and wsHttpBinding.
BasicHttpBinding doesn't support sessions at all.
wsHttpBinding does support session, but when I enable transport security (HTTPS mode), I get exception that reliable sessions are not supported.
Where am I wrong? Is it generally possible to have sessioned web services over HTTPS?
Thank you in advance
Friday, June 29, 2007 8:58 PM
We’ve disallowed RM over Https in the standard bindings because the way to secure an RM session is to use a security session and Https does not provide session.
I found the msdn blurb about it here: http://msdn2.microsoft.com/en-us/library/ms733136.aspx
The blurb is “The only exception is when using HTTPS. The SSL session is not bound to the reliable session. This imposes a threat because sessions sharing a security context (the SSL session) are not protected from each other; this might or might not be a real threat depending on the application.”
However you can do it if you determine there is no threat. There is an RM over HTTPS sample via custom binding http://msdn2.microsoft.com/en-us/library/ms735116.aspx