开发者

How To Make WCF Sessions More Secure?

开发者 https://www.devze.com 2022-12-13 11:14 出处:网络
let\'s say we have a WCF service like the one from msdn examples -- c#, calculatorservice, with all the service settings on default.

let's say we have a WCF service like the one from msdn examples -- c#, calculatorservice, with all the service settings on default.

if i were a hacker and i knew that calculatorservice was something important, that i want to make it stop working, i could simply hack the code for service references and make an application of my own that creates 10 clients. these 开发者_开发知识库clients would call a random (nonterminating) method on calculatorservice every now on then, to keep the session alive, and never close.

now obviously, since all 10 sessions are taken (or whatever the number of maximum sessions is), noone can access the calculatorservice, it is completely blocked!

how can we protect our services from that?


If you're afraid a malicious hacker will clog up your service with bogus sessions, then don't use sessions! Use the "per-call" approach, and authenticate your users, e.g. make sure they're either in your Windows/AD domain, or they do have knowledge of a username/password to make calls to your service.

Should a malicious hacker get a valid username/password combination for your service, then you cannot do much to stop him from constantly sending you 10 or 20 concurrent requests and clogging up your service - at least not at the WCF service level. WCF provides service throttling behaviors to prevent 1'000s of malicious concurrent calls in order to protect your server from being flooded and crashed.

If you need to keep away specific IP's or ranges of IP's, you'll have to approach that earlier on - in your routers/firewalls - the WCF service can't really help you there.


The best thing to do would be to secure your WCF service:

In this article I will show you how you can implement security on a WCF service. There are many options and extensibility points for implementing security in WCF. You can also use specific products, such as the Windows 2003 Server Authorization Manager, together with WCF to implement the authorization requirements of a solution. Out of the box, WCF supports Windows credentials, Username Tokens and X.509 Digital Certificates as security credentials.

0

精彩评论

暂无评论...
验证码 换一张
取 消