WCF - Can i securely use the CallbackChannel to identify authenticated clients?
I'm using NetTcpBinding with a WPF client. i want to know if the CallBackChanel (OperationContext.Current.GetCallbackChannel) can be spoofed by some one else ... i meen, can i be sure, if i store this CallBack object in a list, this call back can't be use by some one else ...
exemple :
private class ClientCallBack
{
public IDuplexServiceCallBack CallBack { get; set; }
public long UserId { get; set; }
public bool IsAuthenticate { get; set; }
public DateTime LastPing { get; set; }
public DateTime LastPong { get; set; }
public bool Fault { get; set; }
public long Ping { get; set; }
}
static List<ClientCallBack> Clients;
public void Login(string UserName, string Password)
{
var auth = new AutentificationService();
var user = auth.Login(UserName, Password, true, null);
if (user != null)
{
Clients.Add(new ClientCallBack()
{
CallBack = OperationContext.Current.GetCallbackChannel<IDuplexServiceCallBack>();,
Fault = false,
IsAutenticate = true,
LastPing = DateTime.Now,
LastPong = DateTime.Now,
Ping = 0,
UserId = user.Id
});
}
}
public void action() {
var client = Clients.FirstOrDefault(o => o.CallBack == OperationContext.Current.GetCallbackChannel<IDuplexServiceCallBack>(););
if (client != null && client.IsAutenticate)
{
//This client is authenticated
}
}
is it possible for some one to use the callBack of someone else?
tanks
Answers
This is a very vague question, but I think I understand what you are trying to get at. First, OperationContext.Current.GetCallbackChannel will definitely give you the caller of the service, whichever client that may be. Another client (at least on windows) would not be able to use the same TCP channel since it is already in use.
Now if you are talking authentication, or how to make sure the client that called the service is legitimate, that is a different topic all together.