web service security in asp.net

i am working on project in which we are creating a web service that is called from desktop application.my problem is that how i provide security to the web method when they called from desktop application so that only authenticated member can access that method. How I pass user name and password through SOAP header.

But at not all the time when we call a meth开发者_StackOverflow中文版od i want to authenticate the user name and password .i want to authenticate a user only for the first time when he called a web method and for next call a token will generate that will we used for future references.

Please give me solution for all that problems immediatly. or another way to impliment security to web service. Please give solution with coding.

You need to set the authentication type in IIS on the webserver. http://technet.microsoft.com/en-us/library/cc733010(WS.10).aspx The type will depend on your application (in-house app, external etc.) and how important security is to you.

You could store the credentials in an encrypted section in your client app.config file. Then authenticate each time you call the webservice.

Note that Basic Authentication sends the username/password combo in the clear (base64 encoding) so it is recommended to use SSL with this.

You can create credentials to pass to the webservice like so (where ConfigurationUtility is a custom helper class and WebServiceCredentials retrives the credentials from a custom config section in the config file).

       CredentialCache credentialCache = new CredentialCache();
       CredentialElement credentials = ConfigurationUtility.WebServiceCredentials;
       NetworkCredential netCredential = new NetworkCredential(
            credentials.UserName, 
            credentials.Password, 
            credentials.Domain);

You can programmatically encrypt config sections using

 System.Configuration.Configuration config =  ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
        ConfigurationSection section = config.GetSection(sectionName);

        if (!section.SectionInformation.IsProtected)
        {
            // Protecting the specified section with the specified provider.
            section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
        }

        section.SectionInformation.ForceSave = true;
        config.Save(ConfigurationSaveMode.Modified);

Note: you don't need to decrypt the section, this is done for you.

You can accept (any and all) SSL certs programmatically

    ServicePointManager.ServerCertificateValidationCallback += this.ValidateRemoteCertificate;

    private bool ValidateRemoteCertificate(object sender, X509Certificate certificate,     X509Chain chain, SslPolicyErrors policyErrors)
    {
        return true;
    }

Even if you pass the username and password through the soap headers anybody sniffing the packets will be able to lift this out easily. Even if you encrypt the data then a hacker can easily reuse the encrypted headers.

I would consider doing the following:-

1. Put a SSL certificate on the webserver (this is a VERY cheap option now)
2. Create a login service that accepts a username and password and then returns a token as a guid
3. When user successfully authenticates pass back the token and loginId, log this token guid and login id into the database on the server. Every time the user logs back in then recreate a new token guid
4. Every time the user calls another webservice pass the token and login and check against the database to make sure user is still logged in

You can every be clever with dates to see when a user last authenticated and expire them if need be.

Because you are using SSL the connection between the server and the client is secure. All data that gets transmitted including GET and POST data is encrypted