In part 1 (RIA security 101: Logins, web services, usernames and passwords), I discuss the importance of security in RIAs (Rich Internet Applications) and set the ground rules for allowing web services to authenticate calls from the client. In this article, I will show you how using the built in ASP.NET session object.
When the user logs into your service, validate their login and save something that uniquely identifies them (their username or user ID typically) in the session object.
<OperationContract()> _
Public Function Login(ByVal Username As String, ByVal Password As String) As Boolean
If DatabaseWrapper.IsLoginValid(Username, Password) Then
HttpContext.Current.Session(“Username”) = Username
Return True
Else
HttpContext.Current.Session.Abandon()
Return False
End If
End Function
The next time the user calls a method on your service that requires authentication, check for the existance of a user ID or username in the session object and if it’s there, you’ll know they are a valid user since only successfully logged in users will have their information added to the session object.
<OperationContract()> _
Public Function IsLoggedin() As Boolean
Return HttpContext.Current.Session(“LoggedIn”) IsNot Nothing
End Function
<OperationContract()> _
Public Sub UpdateSomething(ByVal Something As String)
If IsLoggedin() Then
DatabaseWrapper.SetDataForUser(DirectCast(HttpContext.Current.Session(“Username”), String), Something)
Else
Throw New Exception(“Session has expired”)
End If
End Sub
ASP.NET handles all the heavly lifting for you by:
- Associating your session data with a unique session ID (aka token)
- Passing that session ID down to the client in the form of a cookie
- Storing your session data between calls to the server (in memory, state server, or a database depending on how you have it configured)
- Retrieving that session data when you need it by looking up the session ID stored in their cookie.
- Making sure that session expires eventually so it’s not vulnerable to hackers.
Check out the source code to see a fully functioning Silverlight client and WCF web service working together to securely manage login data between service calls. Login through an HTML based login (Homepage.htm) or the Silverlight client itself (hosted within Default.aspx).
Programmer Payback 
[…] was reading a post by Tim Greenfield today regarding RIA and security. He also followed this up with a nice post on how to implement one of his techniques using sessions. Taking this from the Silverlight RIA […]
[…] #2, the session approach. In Part 2 of this article (RIA security 102: Using ASP.NET session state to authenticate web service calls) I demonstrate how to use built in ASP.NET session state objects to manage tokens for us. Note: […]
tks!
Much like newspapers, they have did not learn how to translate to the new
digital age. Pirate Bay and Textbook Torrents offer surprisingly large supplies of required texts who
have only recently caught the eye of publishers. It doesn’t matter how many lawsuits the large conglomerates file – In case you are performing a search on the internet for Maxwell house printable coupon 2013, you might have discovered the best web page.
I have to thank you for the efforts you have put in penning this blog.
I am hoping to see the same high-grade blog posts from you later on
as well. In truth, your creative writing abilities has motivated me to get my very own website now ;
)
You have made some good points there. I looked on the
web for additional information about the issue and found most
individuals will go along with your views on this web site.
Stop-Loss Order – A stop loss is an order that restricts losses by exiting a bad trade, or prevents the
market from taking back money on a positive trade.
“Computer-based technical analysis is based on extensive use of methods of mathematical statistics and special data of the processing algorithms in currency system Forex trading. This book dissects the very essence of this highly effective technical analysis tool.
The two murdered troopers, Power and Cahill,
were men from good Irish families. Scores of reefs are now lying idle in Queensland
from where tremendous yields were obtained close to the
surface, but which have been abandoned for
want of capital. Juni, als Bombenanschläge in Kathmandu und
anderen Städten Nepals acht Tote und 22 Verletzte forderten.
You can get analysis of the Forex market every day or every four hours.
To realize the importance of the Forex news one can take the example of
respective position of Euro and USD in the market.
According to these four elements, graphs can be
of several types, the most common being line charts, candlestick charts and bar charts.
First of all I would like to say fantastic blog! I had a quick question that I’d like to
ask if you do not mind. I was curious to find out how you center yourself and clear
your mind prior to writing. I’ve had a tough time clearing my mind in getting my thoughts out.
I do take pleasure in writing however it just seems like the first 10 to
15 minutes are generally wasted just trying to figure out how to begin.
Any recommendations or hints? Cheers!
Heya i’m for the primary time here. I found this board and I in finding It really useful & it helped me out much. I hope to present something back and aid others such as you aided me.
FlD6ih Awesome blog post.Thanks Again. Fantastic.
I constantly spent my half an hour to read this weblog’s content every day along with a mug of coffee.
It’s an awesome paragraph for all the web users; they will take benefit from it I am sure.
Me acabo de comprar un pc muy barato http://www.tecnobest.com
I need my gmail