Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post May 02, 2012 11:03 AM by Steven Cheng - MSFT
Apr 30, 2012 05:52 PM|LINK
I have an application which exposes service which is consumed by the web application via Jquery POST and other applications (IPad, Android, etc). I have to create an authentication system which is highly safe but still fast enough.
I thought of making a token which will be passed to the application on login and which will be used for a specific amount of time (say 30 mins) post which it should refresh itself and not expire the session. So I thought of making a token being sent to service
and which will generate token. It will accept
2. Password (both encrypted with public key)
The server will decrypt the request by the private key and generate a token which will be valid for a specific time. Now since this would highly depend on the private key (which will be same and thus someone from within system can leak it and misuse it)
so i want the private key to be refreshed after a specific time (say 2 hrs).
1. How do refresh Private key and ensure that the currently issues tokens will not be rejected.
2. Is there a better way of doing it
Apr 30, 2012 06:41 PM|LINK
I use a custom soapheader like such:
Public Class AuthenticationHeader
Public Password As String
Public Username As String
#End Region 'Fields
Then all my web service calls are as such:
Public Function SomeWebSvcCall(id As String) As String
Dim result As String = "Default Message"
If IsAuthenticated() Then
'main code here
Catch ex As Exception
result = ex.Message.ToString
result = "NOT AUTHORIZED!"
Apr 30, 2012 07:12 PM|LINK
Why not use basic authentication over SSL?
May 02, 2012 11:03 AM|LINK
For WCF REST service, since it is based on plain HTTP, we can either use the built-in authentication methods provided by IIS such as windows , basic authenticaitons or use Federation/WIF to implement OAuth like authentication:
#WCF (REST) Service With Federated Authentication
#Using WIF for securing REST Service
For your case, you want to refresh the decription private key at server-side, I think this will surely cause the existing issued public key become invalid. You need to define a certain negotiation method for the client and server to exchange and synchronize