How to secure a WCF service by session?

My confession: I'm new to WCF, I've read something about it but just have got my hands on it for less than one week.

I want to secure my WCF by session, which is, same as a webpage, at first the client need to identify 开发者_StackOverflow中文版itself, but when it's authenticated, the WCF service trusts it until the session is timeout.

Because the service is time-critical, so the securing mechanism should be as minimal as possible.

As said above, I have no experience with WCF, so I don't know is my idea can be done or not, and which mechanisms are using widely with WCF.

Thank you very much.

The best practice is using session less services because introducing session leads to other complexities.

In your case the SOAP service can be secured with security session (security context) which is provided by WS-SecureConversation, WS-Trust etc. When using any kind of WCF session you must reuse the same service proxy instance. The session exists between particular proxy and service instance. Once any of these dies or connection suffers error the session is gone and you must open a new proxy.

When using secure conversation you will fill needed credentials into service proxy and run your communiction. The proxy will send these credentials to the service and the service will create a security token which will be used for following communication. This initial handshake has some additional cost. Following communication is secured by the token. WCF uses this together with message level encryption and signing which has another additional cost. You can turn off encryption and signing for some message parts but at least information related to authentication must be encrypted.

The basic configuration for such service can look like:

<bindings>
  <wsHttpBinding>
    <binding name="secured">
      <security mode="Message">
        <message clientCredentialType="UserName" estabilishSecurityContext="true"
                 negotiateServiceCredentials="false" />
      </security>
    </binding>      
  </wsHttpBinding>
</bindings>
<behaviors>
  <serviceBehaviors>
    <behavior name="securedService">
      ...
      <serviceCredentials>
        <!-- Allows configuring how user name and password will be validated -->
        <userNameAuthentication ... />
        <!-- Message security with user name and password credentials requires service certificate -->
        <serviceCertificate ... />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<services>
  <service name="..." behaviorConfiguration="securedService">
    <endpoint address="" contract="..." binding="wsHttpBinding" 
              bindingConfiguration="secured" />
  </service>
</services>

This is standard approach to do it in WCF with security integrated to WCF security pipeline. Any other approach is mostly about bypassing WCF security pipeline or modifying security pipeline - both these approaches can require a lot of custom development.