Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>If you want "sessions" with wsHttpBinding, you have to use either reliable messaging, or the security sessions. (source : <a href="https://stackoverflow.com/questions/2650738/how-to-enable-wcf-session-with-wshttpbidning-with-transport-only-security">how to enable WCF Session with wsHttpBidning with Transport only Security</a>).</p> <p>WSHttpBinding supports session but only if either security (SecureConversation) or reliable messaging are enabled. If you are using transport security then it is not using WS-SecureConversation and WS-ReliableMessaging is turned off by default. Therefore the two protocols that WSHttpBinding uses for session are not available. You either need to use message security or turn on reliable session. (source : <a href="http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/57b3453e-e7e8-4875-ba23-3be4fff080ea/" rel="nofollow noreferrer">http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/57b3453e-e7e8-4875-ba23-3be4fff080ea/</a>).</p> <p>We’ve disallowed RM over Https in the standard bindings because the way to secure an RM session is to use a security session and Https does not provide session.</p> <p>I found the msdn blurb about it here: <a href="http://msdn2.microsoft.com/en-us/library/ms733136.aspx" rel="nofollow noreferrer">http://msdn2.microsoft.com/en-us/library/ms733136.aspx</a> The blurb is “The only exception is when using HTTPS. The SSL session is not bound to the reliable session. This imposes a threat because sessions sharing a security context (the SSL session) are not protected from each other; this might or might not be a real threat depending on the application.”</p> <p>However you can do it if you determine there is no threat. There is an RM over HTTPS sample via custom binding <a href="http://msdn2.microsoft.com/en-us/library/ms735116.aspx" rel="nofollow noreferrer">http://msdn2.microsoft.com/en-us/library/ms735116.aspx</a> (source : <a href="http://social.msdn.microsoft.com/forums/en-US/wcf/thread/fb4e5e31-e9b0-4c24-856d-1c464bd0039c/" rel="nofollow noreferrer">http://social.msdn.microsoft.com/forums/en-US/wcf/thread/fb4e5e31-e9b0-4c24-856d-1c464bd0039c/</a>).</p> <p>To sum up your possibilities you can either :</p> <p>1 - Keep wsHttpBinding, remove transport security and enable reliable messaging</p> <pre><code> &lt;wsHttpBinding&gt; &lt;binding name="bindingConfig"&gt; &lt;reliableSession enabled="true" /&gt; &lt;security mode="None"/&gt; &lt;/binding&gt; &lt;/wsHttpBinding&gt; </code></pre> <p>But you loose the SSL layer and then part of your security.</p> <p>2 - Keep wsHttpBinding, keep transport security and add message authentication</p> <pre><code> &lt;wsHttpBinding&gt; &lt;binding name="bindingConfig"&gt; &lt;security mode="TransportWithMessageCredential"&gt; &lt;message clientCredentialType="UserName"/&gt; &lt;/security&gt; &lt;/binding&gt; &lt;/wsHttpBinding&gt; </code></pre> <p>You get to keep your SSL security layer but your client will have to provide credentials (of any form) and even if you don't validate them at the service side, fake ones must still be provided as WCF will reject any message not specifying credentials.</p> <p>3 - Use a custom binding with reliable messaging and HTTPS transport</p> <pre><code> &lt;customBinding&gt; &lt;binding name="bindingConfig"&gt; &lt;reliableSession/&gt; &lt;httpsTransport/&gt; &lt;/binding&gt; &lt;/customBinding&gt; </code></pre> <p>I can't see any downside to this except the threat explained in MSDN, and it depends on your application.</p> <p>4 - Use other session providers If your application is hotsed in IIS, you could set </p> <pre><code>&lt;serviceHostingEnvironment aspNetCompatibilityEnabled="true"/&gt; </code></pre> <p>and depend on the </p> <pre><code>HttpContext.Current.Session </code></pre> <p>for your state.</p> <p>Or implementing your own cookies.</p> <p>PS : Note that for all those WCF configuration, I only tested service activation, not calls.</p> <p>EDIT : As per user request, <code>wsHttpBinding</code> with <code>TransportWithMessageCredential</code> security mode implementing sessions (I'm not too familiar with VB.NET so pardon my syntax) :</p> <p>Service code snippet :</p> <pre><code>&lt;ServiceContract(SessionMode:=SessionMode.Required)&gt; Public Interface IService1 &lt;OperationContract()&gt; _ Sub SetSessionValue(ByVal value As Integer) &lt;OperationContract()&gt; _ Function GetSessionValue() As Nullable(Of Integer) End Interface &lt;ServiceBehavior(InstanceContextMode:=InstanceContextMode.PerSession, ConcurrencyMode:=ConcurrencyMode.Single)&gt; Public Class Service1 Implements IService1 Private _sessionValue As Nullable(Of Integer) Public Sub SetSessionValue(ByVal value As Integer) Implements IService1.SetSessionValue _sessionValue = value End Sub Public Function GetSessionValue() As Nullable(Of Integer) Implements IService1.GetSessionValue Return _sessionValue End Function End Class Public Class MyUserNamePasswordValidator Inherits System.IdentityModel.Selectors.UserNamePasswordValidator Public Overrides Sub Validate(userName As String, password As String) ' Credential validation logic Return ' Accept anything End Sub End Class </code></pre> <p>service Configuration snippet : </p> <pre><code>&lt;system.serviceModel&gt; &lt;services&gt; &lt;service name="WcfService1.Service1" behaviorConfiguration="WcfService1.Service1Behavior"&gt; &lt;endpoint address="" binding="wsHttpBinding" contract="WcfService1.IService1" bindingConfiguration="bindingConf"/&gt; &lt;endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/&gt; &lt;/service&gt; &lt;/services&gt; &lt;bindings&gt; &lt;wsHttpBinding&gt; &lt;binding name="bindingConf"&gt; &lt;security mode="TransportWithMessageCredential"&gt; &lt;message clientCredentialType="UserName"/&gt; &lt;/security&gt; &lt;/binding&gt; &lt;/wsHttpBinding&gt; &lt;/bindings&gt; &lt;behaviors&gt; &lt;serviceBehaviors&gt; &lt;behavior name="WcfService1.Service1Behavior"&gt; &lt;serviceMetadata httpsGetEnabled="true"/&gt; &lt;serviceDebug includeExceptionDetailInFaults="false"/&gt; &lt;serviceCredentials&gt; &lt;userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfService1.MyUserNamePasswordValidator, WcfService1"/&gt; &lt;/serviceCredentials&gt; &lt;/behavior&gt; &lt;/serviceBehaviors&gt; &lt;/behaviors&gt; &lt;/system.serviceModel&gt; </code></pre> <p>Client test code snippet : </p> <pre><code>Imports System.Threading.Tasks Module Module1 Sub Main() Parallel.For(0, 10, Sub(i) Test(i)) Console.ReadLine() End Sub Sub Test(ByVal i As Integer) Dim client As ServiceReference1.Service1Client client = New ServiceReference1.Service1Client() client.ClientCredentials.UserName.UserName = "login" client.ClientCredentials.UserName.Password = "password" Console.WriteLine("Session N° {0} : Value set to {0}", i) client.SetSessionValue(i) Dim response As Nullable(Of Integer) response = client.GetSessionValue() Console.WriteLine("Session N° {0} : Value returned : {0}", response) client.Close() End Sub End Module </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload