1

I just started to work on wcf service build an web application to consume my service . I made that token based i pass token in every request and then check that token on each request from database that its valid or not . I think this is not good to send an extra request to db every time . So , is this possible to authenticate user first time when he login or first make request to service and after that until session remain all my requests work with token ?

I searched on google but every one was telling how to authenticate with service .

Ancient
  • 3,007
  • 14
  • 55
  • 104

2 Answers2

0

Instead of a random string that you generate and need to check in the database, make your tokens around encryption and/or signing just like many authentication modules do.

In other words, build a token from a user/application name, issue date and/or expiry date, encrypt it and you have a self-contained token that doesn't need any database lookups for validation.

For easy encryption, the MachineKey can be used

http://msdn.microsoft.com/en-us/library/system.web.security.machinekey%28v=vs.110%29.aspx

A side note - this is how forms authentication / session authentication modules work. You have cookies (tokens) that carry the authentication information. You could consider switching to these.

Edit: an example you ask about:

// create token
string username = "foo";
string token = Convert.ToBase64String( MachineKey.Protect( 
                  Encoding.UTF8.GetBytes( username ) ) );

// get username out of token
string token = ....;
string username = Encoding.UTF8.GetString( MachineKey.Unprotect( 
                  Convert.FromBase64String( token ) ) );
Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • can you put an example , i didn't understand – Ancient Dec 29 '14 at 18:27
  • I edited my answer with a basic example that should give you an idea on how to design your own tokens. – Wiktor Zychla Dec 29 '14 at 22:42
  • and do what after getting out token how can i verify that this is a real client that needs to consume my service , even in this situation i need to call database . So what to do can you please explain – Ancient Dec 30 '14 at 07:35
  • i have many client who will consume my service and every client will have different tokens , so how to get know which client is calling and whether a client is calling or its a fake – Ancient Dec 30 '14 at 07:36
  • Since tokens are encrypted at the server, there is really no way to forge them client-side. – Wiktor Zychla Dec 30 '14 at 08:35
0

Checking the Auth token with the database on each request is probably a bad idea. What is commonly used as a token is the current user principal itself but serialized and encrypted. The token is generated and returned to the client upon login. Then on each request you pass the token the service which then gives you the opportunity to deserialize it and populate your System.Threading.Thread.CurrentPrincipal without a roundtrip to the DB.

Check these SO answers for more insight

  1. Delivering a JWT SecurityToken to a WCF client
  2. How to use Microsoft JWT Token Handler to secure webHttpBinding based WCF service
Community
  • 1
  • 1
cleftheris
  • 4,626
  • 38
  • 55