tags:

views:

250

answers:

2
+1  Q: 

How To Make WCF Sessions More Secure?

let's say we have a WCF service like the one from msdn examples -- c#, calculatorservice, with all the service settings on default.

if i were a hacker and i knew that calculatorservice was something important, that i want to make it stop working, i could simply hack the code for service references and make an application of my own that creates 10 clients. these clients would call a random (nonterminating) method on calculatorservice every now on then, to keep the session alive, and never close.

now obviously, since all 10 sessions are taken (or whatever the number of maximum sessions is), noone can access the calculatorservice, it is completely blocked!

how can we protect our services from that?

+1  A: 

The best thing to do would be to secure your WCF service:

In this article I will show you how you can implement security on a WCF service. There are many options and extensibility points for implementing security in WCF. You can also use specific products, such as the Windows 2003 Server Authorization Manager, together with WCF to implement the authorization requirements of a solution. Out of the box, WCF supports Windows credentials, Username Tokens and X.509 Digital Certificates as security credentials.

Andrew Hare  2009-12-04 16:38:32
thanks, but that doesn't appear to help in the situation i described. my service already has the default securitymode. maybe i should pay attention to something specific?
avance70  2009-12-04 16:57:15
+3  A: 

If you're afraid a malicious hacker will clog up your service with bogus sessions, then don't use sessions! Use the "per-call" approach, and authenticate your users, e.g. make sure they're either in your Windows/AD domain, or they do have knowledge of a username/password to make calls to your service.

Should a malicious hacker get a valid username/password combination for your service, then you cannot do much to stop him from constantly sending you 10 or 20 concurrent requests and clogging up your service - at least not at the WCF service level. WCF provides service throttling behaviors to prevent 1'000s of malicious concurrent calls in order to protect your server from being flooded and crashed.

If you need to keep away specific IP's or ranges of IP's, you'll have to approach that earlier on - in your routers/firewalls - the WCF service can't really help you there.

marc_s  2009-12-04 21:46:42
thanks, as you say, this should probably be solved on the router/firewall level -- limit the number of connections allowed from one IP.
avance70  2009-12-07 07:28:05

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?