About protocols and security RRS feed

  • Question

  • User-2076991548 posted

    Hi there, 

    let's see it there's a simple answer to this. I-ve been using asmx services for a long time but now i move to WCF (did a couple things before nothing fancy) for good.

    My scenario is a desktop app (wpf but might be something else tomorrow, android app maybe) to handle a local repository and a web server server to perform some syncing between users.

    I am not sure how to SECURE my webservice calls and I was kinda used to rely on SESSION (asp.net type of sessions), so i can have for instance a syncing progress monitor. Using sessions was the easiest way i know to simulate some kind of state or conversation. I also use them for authenticating once and then checking against session so see if the "requesting user" is authenticated.

    My idea was to have a service over https and with session enabled. What should i do? Most of my logic is already developed so I now just have to choose the best way to secure it. Help!!!

    btw - I've spent a LONG TIME on the internet learning about wsHttpBinding, BasicHttpBinading and stuff... still i havent yet developed a way of my own to take this decistion.

    thanks in advance,


    Sunday, February 17, 2013 6:40 PM

All replies

  • User-1000095884 posted


    There are a number of possible client and service security configurations, I'd suggest you take a look at Common Security Scenarios document for common security scenarios.

    If you want to secure the service over HTTPS, you can find a document below which demonstrate how to design a service secured by HTTPS with custom username and password validator in IIS.

    #WCF Service over HTTPS with custom username and password validator in IIS


    Learn more on how to use sessions in WCF application, see #Using Sessions


    Hope this helps.

    Best Regards.

    Tuesday, February 19, 2013 4:20 AM
  • User-2076991548 posted

    Hey! Tahnsk for answering.

    First of all, as an update , I've been working lately on implementing transport (ssl)+message (wshttpbind )security + custom username validator. I'm glad to see that you suggest the same thing. It's good to know i made the right choice.

    SO - I decided NOT TO USE SESSIONS. It's hard to say this all friend good bye (at least in WCF), but I've already taken that desition. Now... how could I implement, in wsHttpBinding+SSL some sort of PROGRESS MONITOR for long running tasks?\

    If you could answer quickly that would be awesome! What about using dictionaries of [username, progress] ?? could it work? Is there any special reason why static dictionaries wouldnt work in my environment? Maybe a concurrent dictionary? Will they last as long as the server is up ? Is there an asp like worker process behind all this?


    Tuesday, February 19, 2013 3:50 PM
  • User-1000095884 posted


    how could I implement, in wsHttpBinding+SSL some sort of PROGRESS MONITOR for long running tasks?

    I do not understand what do you mean with this, can you explain more clearly?

    But WCF sessions are very different from ASP.NET Sessions. WCF sessions are represented as service instances (as CLR objects) and the states are part of each service instance. ASP.NET sessions are like shared data storage across different requests. You can find more information in below blog.


    Best Regards.

    Thursday, February 21, 2013 1:11 AM
  • User-2076991548 posted

    Hi Haixia,

    Simple: I call a method in my WCF (wsHtt + ssl). This Process takes 3 minutes to run. I want to give the user an updated feedback of the long-running operation. How can i do this with wshttpbinding + ssl? 

    So far as i know, wsHttpBinding + SSL DOES NOT SUPPORT any kind of session and service instances are per-request. I've tryed other methods with session but they do not support transport+message security!

    I insist: wsHttpBinding + Message-level security + some way to persist status data among service calls


    Thursday, February 21, 2013 12:41 PM