How to: SessionMode=SessionMode.Required over HTTPS

Question

Hi there,

 

I'm trying to understand how WCF sessions work. I'm quite clear with NetTcpBinding.

What I don't get it BasicHttpBinding and wsHttpBinding.

 

BasicHttpBinding doesn't support sessions at all.

wsHttpBinding does support session, but when I enable transport security (HTTPS mode), I get exception that reliable sessions are not supported.

 

Where am I wrong? Is it generally possible to have sessioned web services over HTTPS?

 

Thank you in advance

Answer 1

We’ve disallowed RM over Https in the standard bindings because the way to secure an RM session is to use a security session and Https does not provide session.

 

I found the msdn blurb about it here: http://msdn2.microsoft.com/en-us/library/ms733136.aspx

The blurb is “The only exception is when using HTTPS. The SSL session is not bound to the reliable session. This imposes a threat because sessions sharing a security context (the SSL session) are not protected from each other; this might or might not be a real threat depending on the application.”

 

However you can do it if you determine there is no threat. There is an RM over HTTPS sample via custom binding http://msdn2.microsoft.com/en-us/library/ms735116.aspx