Hello,
to make long things short.. i will sort my WCF scenario (IIS is the
host, windows form App as a client):
1- in my wcd, i have a login method (Login(string user, string
password)), this method returns a GUID, the client calls the method.
2- if at server side the user and password were correct, the method
creates a random GUID in the database along with the authenticated
username, returns the GUID.
3- in client side, the GUID is stored in the memory.
4- now all other methods in the server has the first parameter as
SessionID, for example (GetSomethingMethod(Guid SessionID, string
param1, int param2)) and so on.
5- in server side, in each method i call a static method to check the
sessionID, if the session exists and the owner of that session has the
authority to perfrom that method, i return True, if not i return false
along with a custom FaultException (SessionExpired).
now this scenario seems ok so far, i don't have to worry about a lot
of things so far, but the problem if i want to use the same service from
a website.. Should i simply put my sessionID in a cookie? or should i
change the whole scenario from now before things get real serious? i
still have time to change the whole concept.. I read a lot of blogs and
questions here but actually it wasnt really clear enough in the
(applying them part) even if it was clear by theory. i just need your
opinion guys. I read a lot for the past 72 hours about security
scenarios in WCF.. to be honest its not really clear to me and some
times it sounds like rocket science to me :(
Regards to all.