i am working on project in which we are creating a web service that is called from desktop application.my problem is that how i provide security to the web method when they called from desktop application so that only authenticated member can access that method.
How I pass user name and password through SOAP header.
But at not all the time when we call a method i want to authenticate the user name and password .i want to authenticate a user only for the first time when he called a web method and for next call a token will generate that will we used for future references.
Please give me solution for all that problems immediatly.
or another way to impliment security to web service.
Please give solution with coding.
Even if you pass the username and password through the soap headers anybody sniffing the packets will be able to lift this out easily. Even if you encrypt the data then a hacker can easily reuse the encrypted headers.
I would consider doing the following:-
SSL certificateon the webserver (this is a VERY cheap option now)You can every be clever with dates to see when a user last authenticated and expire them if need be.
Because you are using SSL the connection between the server and the client is secure. All data that gets transmitted including GET and POST data is encrypted