Since you are already using a MembershipProvider you can utalize that on wcf as well so both are secured by the same mechanism.

See this post on msdn.

Windows Communication Foundation (WCF)
developers can take advantage of these
features for security purposes. When
integrated into an WCF application,
users must supply a user name/password
combination to the WCF client
application. To transfer the data to
the WCF service, use a binding that
supports user name/password
credentials, such as the WSHttpBinding
(in configuration, the wsHttpBinding
Element) and set the client credential
type to UserName. On the service, WCF
security authenticates the user based
on the user name and password, and
also assigns the role specified by the
ASP.NET role.

Another option would be to create a custom IAuthorizationPolicy that pulls off your user via

OperationContext.Current.IncomingMessageHeaders.GetHeader<T>

And than setup your principal like the following:

evaluationContext.Properties[Constants.EvaluationContextPrincipal] = principal;

Here is some more information on creating a custom IAuthroizationPolicy. With this method you could achieve what you want without passing your user to the method.

Just be warned if you go this route a crafty person could end up impersonating the user by simply suppling a bogus user in your header.

Using the asp.net membership provider for wcf would most likely get you what you are really after plus adding some security.