Cheap Username/Password Session Cookie Authentication/Authorization for Prototyping? RRS feed

  • Question

  • My partner and I want to create a WCF service that implements username-password/session cookies to implement security for a proof-of-concept to some prospective customers. We want to use an inexpensive hosting service. Since my partner had a bad experience with the free Azure service before (I did not power down his azure virtual machine because I thought he was using it and he got stuck with a big bill six months later) I agreed to look for an alternative.

    Is it possible to implement username-password forms security with session cookies for a WCF service without (self) certification? The cheapo hosting service I have access to won't let me self certify. I think this (WCF service that implements forms based security with session cookie with out self cert) is possible because the visual studio WCFRIA business template implements username password security fine without self certification.

    It must be possible! How does visual studio do it? All my google/bing searching indicates I must self certify.

    Now I know we eventually want a cert when we go into production. Since this is a prototype, we are not going to worry about man-in-the-middle attacks or someone else impersonating our service.

    Could someone guide me to an example? 



    siegfried heintze

    Thursday, May 21, 2015 6:13 AM


  • Hi Siegfried,
      As per my research of this case, you cannot able to implement forms security with session cookies for a WCF service without certification because you need some sort of secure channel.

    However you don't need certificates on the clients; but it needs on the server.
    But alternatively I found the Yaron Naveh’s blog  which explains that you can implement with some custom binding  that enables clear text username/password over HTTP without certificate.for more information, Click here to refer.

    Friday, May 22, 2015 9:53 AM