The first time I log onto my webservice I want to use FormsAuthentication e.g.
myService.ClientCredentials.UserName.UserName = "name";
myService.ClientCredentials.UserName.Password = "password";
but once a user has logged onto my web app I dont want to have to know about his password so I would like to be able to connect to the webservice as this user without knowing his password. Is this possible?
I would save the password on whatever front end is accessing the web service and then pass it behind the scenes whenever the user called the web service.
So essentially, design your web service take a password always, but have the front end cache the password so once the user enters the password, the front end doesn't ask again.
Be forewarned, there may be a security concern with keeping the password cached, as I believe that would be part of the session. I'm not familiar with how .net handles this, but you may want to look into hashing.
You should be able to do this, but there are several issues to consider. Forms-based Authentication (FBA) normally uses a cookie to track authentication.
Security - Configure the web application and web service to use the same FBA database.
Domain - As long as the web service is on the same domain as the web application, the web service can use the same authentication cookie. If the client has cookies disabled, then this may not work.
Cookie expiration - You need to configure the duration of the authentication to an acceptable time limit (30 minutes, 1 hour, 1 day, or more) in the web.config file. This will allow the user to access the web service within a proper time frame after he or she has logged in.
you can enable sessions in your webservice. There is a simple token that you add in at the begining of the service declaration.
<WebMethod(True)> Method Name