The Problem
I’ve recently been working on a Silverlight project that connects to WCF services asynchronously (as all Sivlerlight apps do). The issue that no one understood was the fact that these services are not secured in any way. Silverlight is simply a client asking for some information by sending an request with XML and then receiving the XML back. So any programming language that has classes to handle SOAP could easily utilize those web services as they were not authenticated.
The Solution
As an asp.net developer you learn to use asp.net sessions as a way to authenticate and to keep track of that authentication. This works for web services as well. You just have to make sure you have a couple things. First, in your web service you must include ‘System.ServiceModel.Activation’ with the ‘using’ clause and at the top of your web service class implementation you must include the following:
namespace mynamespace { [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)] public class mywebservice { } }
Once you’ve done this you can include your methods and utilize your session classes:
public void Login(string username, string password) { // check username/password against the database and validate yes or no if (isLoggedIn) { System.Web.HttpContext.Current.Session["IsLoggedIn"] = "yes"; } }
The last thing that would be needed is to secure the transmissions with SSL. Without this, anyone could sniff the packets to and from a laptop using a public wifi hotspot.