6 Replies Latest reply on Jan 6, 2008 1:44 AM by MarkBrindle

    .NET WebService & Security

      I want to build a Flex app which uses all of it's remote data operations via .net web-service.
      The scenario:
      1. a login panel (in flex)
      2. send the user/pass to the webservice
      3. assuming user/pass are correct -> switch state to show app
      4. app is calling more methods from the same web-service to send and retrive data

      The problem:
      If i call the web-service outside the flex app, I can invoke any method I want without the need to login...so, is there any way of keeping a "session"? or any other idea on how to secure the web-service methods (exept the login method afcourse)?

      Thanks in advance,
        • 1. Re: .NET WebService & Security

          Your server should be setting up session values on the login call, and then check thoes values are valid on all other service requests...

          (bad ruby pseudo code follows..)

          def login
          session[object] = User_object

          def another_method
          if session[object] is not valid then
          • 2. Re: .NET WebService & Security
            gm00 Level 1
            Thanks for the reply.
            The thing is, in a .NET WebService, you cannot set any Session values (as apoosed to an .aspx page).
            This is why I asked the question in the first place ;-)
            I know I can use an .aspx page as a data service (post to it and read the response), but a WebService is more "elegant"...
            Any other thoughts?
            Thanks again...
            • 3. Re: .NET WebService & Security
              gm00 Level 1
              Just found a few articles on enabling Session in .NET WS...
              Will test it and report back.
              • 4. Re: .NET WebService & Security
                Hi gm00,

                This is what I do.

                At the login if all is OK I return returns a GUID, This GUID is passed to all WS calls after the login.

                On the server side, I create a table with the GUID, UserID and DateTime. On every call into the WS, I check that the table contains the GUID and that the last DateTime is less than say 20min. if all OK, i update the DateTime field with now() else I simply throw an exception that is caught back in the Flex application. I also at this point delete any row with a timestamp > 20min. to keep the table small.

                For testing you simply return true from the code that checks the Guid. I have been using this technique for a while and it works a treat.

                All the best

                • 5. Re: .NET WebService & Security
                  gm00 Level 1
                  Hi Mark,
                  Thanks for the detailed reply.
                  The thing is, I'm trying to avoid an extra DB query on every WS call...
                  I can basically send the user/pass to all WS calls instead of a GUID, but again, I then need to do some DB query...
                  Anyway, I found the I can add the EnableSession tag to the function declaration like :[WebMethod(EnableSession=true)] and by that enabling a session just like on an aspx page.
                  Haven't tested it yet to confirm the performance but I will as soon as I do.
                  Thanks again,
                  • 6. Re: .NET WebService & Security
                    MarkBrindle Level 1
                    Sounds good. Don't worry about the DB call as you can do it in one call and if your using SqlServer it's so fast you won't notice it (That is my experience anyway).

                    Where is the SessionState going to be held. If you store it in SqlServer then that is another db call anyway.

                    All lots of fun!!!!

                    I have written a Flex framework for integrating Flex and .Net with WS.


                    Cheers Buddy