I’m creating a smart client application using .NET 3.5. A Winforms client connecting through WCF services to retrieve data from SQL Server 2008. I need to pass a username/password (encrypted and over HTTPS) and return information such as:
- Is this user (e-mail address) under a current subscription
- What server should we go to next for all subsequent calls (poor man’s load balancing)
- What server/database should be used in the connection string (credentials not required), as people could be using different databases depending on their subscription, etc.
So my first call when signing on sends the credentials which a lookup is performed. A serializable class will be used to create a token object (I assume this is the way to handle this) which will return the expiration, server info, database info.
The question is on all subsequent calls do I pass this token as a parameter to every service contract (web method) or can I leave all my current contracts as is and pass the token in a header or some other more universal method?
How do you suggest implementing a token system such as I describe?
Thank you
For one, I would only return a
TokenID– some unique ID to clearly identify the user and his subscription in question – from your first "authentication" call. No need to send back and forth the whole set of information all the time – only the service on the server side needs those details, so you can leave that info on the server and only consult it in your server code when needed.So that first call – the authentication call – would most likely check the credentials being sent against a database table, against a subscription table, and then put that information (who’s calling in, based on what subscription) and possibly some kind of an expiration date/time into a "Valid Callers" table and generate an ID from that (a GUID or something). You might want limit the "lifespan" of a TokenID – e.g. it’s valid for 30 minutes or so – so that it can’t be hijacked and used perpetually after a first successful call. That generated GUID is then returned as the
TokenIDfrom the Authentication call and can be used as an identifier in each subsequent call.Things like what database server to use have really no place in messages going back and forth – they’re strictly important to the server-side service code – just leave it there!
It is definitely preferred practice to put such "meta information" that isn’t the real value information for your calls into headers and go search for it there. WCF supports this quite nicely and easily – with either message inspectors (sample for that here and here) on client and service side, or by using the OperationContextScope (sample blog post here and here) – both work just fine.