Vista - WCF Secure Session Key Renewal best practice?

12-19-2007

I've got a .NET 3.0/WCF client-server app that implements a duplex message
exchange pattern, using message security and per session instance mode, tcp
transport.

After an established connection, the server is periodically sending back
notifications to connected clients. There may be NO forward client-to-service
operation calls during a long time.

However, right after 15 hours I get a "The session key must be renewed
before it can secure application messages" error message on the server. I
figured out this is related to the local client or service security property
"SessionKeyRenewalIntervalproperty".

I don't think it's a good idea just to increase this property. However I
must prevent callback notifications from being lost.

So what is the best practice to renew this session key before expiring the
session?

Thanks for any hints. Did not find anything so far.

12-19-2007

I may be out of my league on this one, since I have not had this
problem yet.

However, in your case, the client is the initiator, so the client is
the one responsible for re-initializing the session key, in other
words, re-establishing the a new session or renewing the current one,
although I don't know if the later is expected. The exception is
thrown to the server when sending back notifications, not the client,
which would be the one responsible for renewing the session he
started.

The documentation states:
"Gets or sets the time span after which the initiator renews the
key for the security session"
So, its in fact the initiator the one responsible for renewing the
session.

Having said this, and although I'm not familiar with your scenario,
I'd assume that the server would wait for a message by the client
(periodically) before continue to send notifications. In fact, 15
hours later the client might not even be there anymore. On the other
hand, if you could renew a session key programatically, it would allow
the server to send a certain notification to make the client perform
the renewal (or re-open the channel) and therefore wakeup/renew the
session key, although this one seems a bit far-fetched, since it was
the client that initiated the conversation and its the client who will
eventually end it.

I know its not a complete answer

, but it was an interesting enough
scenario.
Let me know your thoughts or updates ...

regards,
Tiago Halm

01-07-2008

The update my information here:

Yes, the session is automatically renewed and authenticated. I implemented a
"keep-alive" watch-dog functionality calling the service from the client
periodically when not other calls are made for a long time.

So this may be a best practice.

"Markus Leder" wrote:

Quote:

> Thanks for your feedback, Tiago. Keeping the session alive from the client's
> side with periodic request, I also thought this to be a solution.
>
> However, I have to try this out, as I find no further information on
> automatic (or programatic) session key renewal. Well, this may work out of
> the box. I will keep you updated on this - after christmas holidays :-)
>
> Markus

01-07-2008

Markus,

Thanks for the update, it definitely seems a good alternative.

Tiago Halm

"Markus Leder" <MarkusLeder@xxxxxx> wrote in message
news:12A6902C-AD01-462D-9A46-81C01A7B5652@xxxxxx

Quote:

> The update my information here:
>
> Yes, the session is automatically renewed and authenticated. I implemented
> a
> "keep-alive" watch-dog functionality calling the service from the client
> periodically when not other calls are made for a long time.
>
> So this may be a best practice.
>
> "Markus Leder" wrote:
>

Quote:

>> Thanks for your feedback, Tiago. Keeping the session alive from the
>> client's
>> side with periodic request, I also thought this to be a solution.
>>
>> However, I have to try this out, as I find no further information on
>> automatic (or programatic) session key renewal. Well, this may work out
>> of
>> the box. I will keep you updated on this - after christmas holidays :-)
>>
>> Markus

12-19-2007	#1 (permalink)
Markus Leder n/a posts	WCF Secure Session Key Renewal best practice? I've got a .NET 3.0/WCF client-server app that implements a duplex message exchange pattern, using message security and per session instance mode, tcp transport. After an established connection, the server is periodically sending back notifications to connected clients. There may be NO forward client-to-service operation calls during a long time. However, right after 15 hours I get a "The session key must be renewed before it can secure application messages" error message on the server. I figured out this is related to the local client or service security property "SessionKeyRenewalIntervalproperty". I don't think it's a good idea just to increase this property. However I must prevent callback notifications from being lost. So what is the best practice to renew this session key before expiring the session? Thanks for any hints. Did not find anything so far.
My System Specs

12-19-2007	#2 (permalink)
tiago.halm n/a posts	Re: WCF Secure Session Key Renewal best practice? I may be out of my league on this one, since I have not had this problem yet. However, in your case, the client is the initiator, so the client is the one responsible for re-initializing the session key, in other words, re-establishing the a new session or renewing the current one, although I don't know if the later is expected. The exception is thrown to the server when sending back notifications, not the client, which would be the one responsible for renewing the session he started. The documentation states: "Gets or sets the time span after which the initiator renews the key for the security session" So, its in fact the initiator the one responsible for renewing the session. Having said this, and although I'm not familiar with your scenario, I'd assume that the server would wait for a message by the client (periodically) before continue to send notifications. In fact, 15 hours later the client might not even be there anymore. On the other hand, if you could renew a session key programatically, it would allow the server to send a certain notification to make the client perform the renewal (or re-open the channel) and therefore wakeup/renew the session key, although this one seems a bit far-fetched, since it was the client that initiated the conversation and its the client who will eventually end it. I know its not a complete answer , but it was an interesting enough scenario. Let me know your thoughts or updates ... regards, Tiago Halm
My System Specs

01-07-2008	#3 (permalink)
Markus Leder n/a posts	Re: WCF Secure Session Key Renewal best practice? The update my information here: Yes, the session is automatically renewed and authenticated. I implemented a "keep-alive" watch-dog functionality calling the service from the client periodically when not other calls are made for a long time. So this may be a best practice. "Markus Leder" wrote: Quote: > Thanks for your feedback, Tiago. Keeping the session alive from the client's > side with periodic request, I also thought this to be a solution. > > However, I have to try this out, as I find no further information on > automatic (or programatic) session key renewal. Well, this may work out of > the box. I will keep you updated on this - after christmas holidays :-) > > Markus
My System Specs

01-07-2008	#4 (permalink)
Tiago Halm n/a posts	Re: WCF Secure Session Key Renewal best practice? Markus, Thanks for the update, it definitely seems a good alternative. Tiago Halm "Markus Leder" <MarkusLeder@xxxxxx> wrote in message news:12A6902C-AD01-462D-9A46-81C01A7B5652@xxxxxx Quote: > The update my information here: > > Yes, the session is automatically renewed and authenticated. I implemented > a > "keep-alive" watch-dog functionality calling the service from the client > periodically when not other calls are made for a long time. > > So this may be a best practice. > > "Markus Leder" wrote: > Quote: >> Thanks for your feedback, Tiago. Keeping the session alive from the >> client's >> side with periodic request, I also thought this to be a solution. >> >> However, I have to try this out, as I find no further information on >> automatic (or programatic) session key renewal. Well, this may work out >> of >> the box. I will keep you updated on this - after christmas holidays :-) >> >> Markus
My System Specs

Similar Threads
Thread	Forum
VPN Session Icon Disappears, so I can't close Session	Vista file management
5719 Event ID - "...not able to set up a secure session with a dom	Vista General
Automatic IP Renewal	Vista networking & sharing