Vista Forums
Vista Forums Home Join Vista Forums Donate Vista Tutorials Tags

Welcome to Vista Forums we are your forum to discuss Windows Vista x64 and x86 systems. Whether you need help or just want to post an idea you have on Vista, this is the forum for you.
Register at Vista forums...the world biggest Windows Vista resource Join Vista Forums

Go Back   Vista Forums > Vista technology newsgroups > Indigo

WCF Secure Session Key Renewal best practice?

Reply
 
Thread Tools Display Modes
Old 12-19-2007   #1
Markus Leder
Guest
 
Posts: n/a

WCF Secure Session Key Renewal best practice?

I've got a .NET 3.0/WCF client-server app that implements a duplex message
exchange pattern, using message security and per session instance mode, tcp
transport.

After an established connection, the server is periodically sending back
notifications to connected clients. There may be NO forward client-to-service
operation calls during a long time.

However, right after 15 hours I get a "The session key must be renewed
before it can secure application messages" error message on the server. I
figured out this is related to the local client or service security property
"SessionKeyRenewalIntervalproperty".

I don't think it's a good idea just to increase this property. However I
must prevent callback notifications from being lost.

So what is the best practice to renew this session key before expiring the
session?

Thanks for any hints. Did not find anything so far.
  Reply With Quote

Old 12-19-2007   #2
tiago.halm
Guest
 
Posts: n/a

Re: WCF Secure Session Key Renewal best practice?

I may be out of my league on this one, since I have not had this
problem yet.

However, in your case, the client is the initiator, so the client is
the one responsible for re-initializing the session key, in other
words, re-establishing the a new session or renewing the current one,
although I don't know if the later is expected. The exception is
thrown to the server when sending back notifications, not the client,
which would be the one responsible for renewing the session he
started.

The documentation states:
"Gets or sets the time span after which the initiator renews the
key for the security session"
So, its in fact the initiator the one responsible for renewing the
session.

Having said this, and although I'm not familiar with your scenario,
I'd assume that the server would wait for a message by the client
(periodically) before continue to send notifications. In fact, 15
hours later the client might not even be there anymore. On the other
hand, if you could renew a session key programatically, it would allow
the server to send a certain notification to make the client perform
the renewal (or re-open the channel) and therefore wakeup/renew the
session key, although this one seems a bit far-fetched, since it was
the client that initiated the conversation and its the client who will
eventually end it.

I know its not a complete answer , but it was an interesting enough
scenario.
Let me know your thoughts or updates ...

regards,
Tiago Halm
  Reply With Quote
Old 01-07-2008   #3
Markus Leder
Guest
 
Posts: n/a

Re: WCF Secure Session Key Renewal best practice?

The update my information here:

Yes, the session is automatically renewed and authenticated. I implemented a
"keep-alive" watch-dog functionality calling the service from the client
periodically when not other calls are made for a long time.

So this may be a best practice.

"Markus Leder" wrote:
Quote:

> Thanks for your feedback, Tiago. Keeping the session alive from the client's
> side with periodic request, I also thought this to be a solution.
>
> However, I have to try this out, as I find no further information on
> automatic (or programatic) session key renewal. Well, this may work out of
> the box. I will keep you updated on this - after christmas holidays :-)
>
> Markus
  Reply With Quote
Old 01-07-2008   #4
Tiago Halm
Guest
 
Posts: n/a

Re: WCF Secure Session Key Renewal best practice?

Markus,

Thanks for the update, it definitely seems a good alternative.

Tiago Halm

"Markus Leder" <MarkusLeder@xxxxxx> wrote in message
news:12A6902C-AD01-462D-9A46-81C01A7B5652@xxxxxx
Quote:

> The update my information here:
>
> Yes, the session is automatically renewed and authenticated. I implemented
> a
> "keep-alive" watch-dog functionality calling the service from the client
> periodically when not other calls are made for a long time.
>
> So this may be a best practice.
>
> "Markus Leder" wrote:
>
Quote:

>> Thanks for your feedback, Tiago. Keeping the session alive from the
>> client's
>> side with periodic request, I also thought this to be a solution.
>>
>> However, I have to try this out, as I find no further information on
>> automatic (or programatic) session key renewal. Well, this may work out
>> of
>> the box. I will keep you updated on this - after christmas holidays :-)
>>
>> Markus

  Reply With Quote
 
Reply

Thread Tools
Display Modes









Vistax64.com is an independent web site and has not been authorized,
sponsored, or otherwise approved by Microsoft Corporation.
"Windows Vista", the Start Orb, and related materials are trademarks of Microsoft Corp.
© Vistax64.com 2005-2008

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48