How to: SessionMode=SessionMode.Required over HTTPS


  • Hi there,


    I'm trying to understand how WCF sessions work. I'm quite clear with NetTcpBinding.

    What I don't get it BasicHttpBinding and wsHttpBinding.


    BasicHttpBinding doesn't support sessions at all.

    wsHttpBinding does support session, but when I enable transport security (HTTPS mode), I get exception that reliable sessions are not supported.


    Where am I wrong? Is it generally possible to have sessioned web services over HTTPS?


    Thank you in advance

    Friday, June 29, 2007 10:52 AM


  • We’ve disallowed RM over Https in the standard bindings because the way to secure an RM session is to use a security session and Https does not provide session.


    I found the msdn blurb about it here:

    The blurb is “The only exception is when using HTTPS. The SSL session is not bound to the reliable session. This imposes a threat because sessions sharing a security context (the SSL session) are not protected from each other; this might or might not be a real threat depending on the application.


    However you can do it if you determine there is no threat. There is an RM over HTTPS sample via custom binding

    Friday, June 29, 2007 8:58 PM