UserName authentication - Secuity token to avoid repeated authentication RRS feed

  • Question

  • I've WCF services exposed  for WCF client apps ( winforms)  running in Internet. Users login to application providing username and password, which I plan to validate against custom data store. Users would work with the client app for most part of the day ( ie. sessions could span between 4 - 8 hrs) . Based on this requirements, I've designed my services as follows

    1. IIS hosted, anonymous authentication enabled, https enabled
    2. Service Configured to use wsHttpBinding, security mode='Message', Message security set to UserNameCredentials
    3. Have written CustomUserNameValidator and have successfully plugged  in
    4. Client code -  sets proxy.clientcredentials.username=xxx, .password=yyyy, prior to all service calls.

    I've some questions on this

    1. Does username and password need to be sent for all requests ( which seems to be so)

    2. If yes, for above qn, I would like this to happen only for the login service, and for others would like to avoid re-authenticating again and again. Can login embed a token, which an validated in all requests at server end with out lookup in db. (  Ofcourse, avoid opening up any security risks like session replay etc)

    3. Need a 'WCF solution', which would work irrespective of the hosting.

    3. If #2 is possible, what needs to be coded/configured in client and server code.
    Monday, June 29, 2009 9:01 AM


  • Hi,

    You have two options,

    1. If you enable secure conversation for the binding (it is enabled for default for most bindings), WCF will negociate a session security token the first time the service is consumed. If the keep the proxy alive somewhere, the session token will still exist within that proxy, and therefore the session will be reused. When the WCF service receives a valid session security token, it does not authenticate the user again, it assumes it was successfully authenticated in the first call.

    2. Use supporting tokens as it is described here, http://www.leastprivilege.com/UserNameSupportingTokenInWCF.aspx

    Pablo Cibraro - http://weblogs.asp.net/cibrax
    • Proposed as answer by Pablo Cibraro Tuesday, June 30, 2009 1:26 PM
    • Marked as answer by Marco Zhou Wednesday, July 1, 2009 8:08 AM
    Monday, June 29, 2009 1:41 PM