none
Why is the WCF wsHttpBinding Timestamp optional? RRS feed

  • Question

  • Hi

    We have a WCF service that uses wsHttpBinding. The sample requests I generate include a timestamp which is validated by WCF for each request:

          <u:Timestamp u:Id="_0">
            <u:Created>2013-11-02T16:58:24.575Z</u:Created>
            <u:Expires>2013-11-02T17:03:24.575Z</u:Expires>
          </u:Timestamp>

    We recently had the service pen-tested, and the tester noticed that it's possible to simply omit the timestamp element, and requests are accepted without it.

    I'm reviewing the report, and I'd like to add an explanation for this. Unfortunately, I've had a good search and I can't find any resources which explain it, or even mention it.

    So my questions are:

     1. Why is this optional?
     2. In case I'm asked, is it possible to make the timestamp mandatory?

    This is the service binding config:

         <wsHttpBinding>
            <binding name="usernameHttps" maxReceivedMessageSize="2147483647">
              <security mode="TransportWithMessageCredential">
                <message clientCredentialType="UserName" establishSecurityContext="false" />
              </security>
            </binding>
          </wsHttpBinding>

    This is the client binding config:

        <wsHttpBinding>
            <binding name="WSHttpBinding_IService" maxReceivedMessageSize="2147483647">
              <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="None" />
                <message clientCredentialType="UserName" establishSecurityContext="false" />
              </security>
            </binding>
          </wsHttpBinding>

    Thanks

    Stuart

    ps http://stackoverflow.com/questions/19770795/why-is-the-wcf-wshttpbinding-timestamp-optional

    Tuesday, November 5, 2013 1:31 PM

Answers