You need to create a simple WebService with user authentication support. Looks service trace. in the following way:

Suppose we have registered users in our database. There is a user logging function (its login, password parameters). If everything is fine, then returns sessionID (ssid), otherwise there is no such user in our database.

There are several functions in the WebService class, cat. should work only if the user is logged in.

The problem of my question zakl. that these functions should work not only when ssid is n. that this is our user) then perform the function.

How to implement it, and in general is a parameter necessary for checking security?

    1 answer 1

    If you have a stateless service, after authorization, issue an authToken to the user (for example, some kind of guid). Accordingly, this authToken should be somehow connected to your user. For example, a simple two database in the database authToken | userId . I advise you to periodically update this token

     // wcf service contract [OperationContract] string Authorize(string username, string password); ... //service contract implementation string Authorize(string username, string password) { if(!Validate(username, password) throw new Exception("Invalid username or password"); var userId = GetUserId(username); string token = Guid.New().ToString("N"); DataBase.AuthUsers.Add(new AuthUser(userId, token); return token; } void SomeOperatin(string authToken) { if(DataBase.AuthUsers.All(x => x.AuthToken != authToken) throw new Exception("Access is denied"); ... }
    • Can you give more details ? In general, it may be that there is a session, but this is not the user? - jhendrix
    • @jhendrix, I don’t think the user may be the wrong one. If everything is correct with authentication / authorization, then problems should not arise. I recommend this course: pluralsight.com/training/Courses/TableOfContents/iac-wcf I ’ll now add more details about the token to the post - Veikedo
    • @Veikedo, I do not use the wfc framework, everything is simple for me: there is a class with functions (before each attribute is WebMethod). I'm new to the WebService, I just need the functions to work only when the user has logged in. Then you need to understand what functions it can use (here comes the privilege). If you have any ideas write pzhl. - jhendrix
    • @Veikedo, I don’t use the WFC Framework at the moment, I just need to do it at a simple level with sessions and if possible if I have ideas about how to program the privileges is welcome. - jhendrix