Passing FormsAuthentication cookie to a WCF service

by

It sounds like you’re looking for the Windows Communication Foundation Authentication Service.

EDIT:

After re-reading the question more carefully (and after Ariel’s comment) I’d like to retract the above suggestion. The WCF Authentication Service won’t add much to this scenario.

I haven’t done this between WCF and ASP.NET, however I have configured ASP.NET applications to share forms authenticated users, perhaps I can help in some way.

To ensure that both applications can encrypt/decrypt the forms authentication cookie in the same way you should configure the <machineKey> element for both applications (in web.config or machine.config depending on whether you want to do this at the machine or application level). You should look at the validation, validationKey, decryption and decryptionKey attributes.

Ensure that your <forms> elements in both web.config files are configured similarly. Specifically the name, path and domain attributes.

It’s likely that this only applies to cookies passed to/from a web browser (but may be useful in this case): To allow cookies to be passed between the websites www.foo.com and bar.foo.com you would configure the forms element as follows to allow cookies to be set on one site and successfully passed to the other:

<forms ... domain=".foo.com" ... />

Passing the cookie to the WCF service is likely to be the tricky bit. I’m not very experienced with WCF, so I’ve adapted code from kennyw.com:

HttpRequestMessageProperty httpRequestProperty = new HttpRequestMessageProperty();
httpRequestProperty.Headers.Add(HttpRequestHeader.Cookie, "<Forms Authentication Cookie>");

using (OperationContextScope scope = new OperationContextScope(serviceClient.InnerChannel))
{
  OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] = httpRequestProperty;
  serviceClient.MethodName();
}

If you’re hosting WCF within IIS (and not self-hosting) you can pass the WCF request through the ASP.NET processing pipeline by setting 

<system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" ... />
</system.serviceModel>

If you’re self hosting you could examine the request headers using the incoming message’s properties in OperationContext.Current.IncomingMessageProperties and get the forms authentication cookie value and decrypt it using FormsAuthentication.Decrypt(string).

I have no idea whether any of this would work, but would love to hear if it does!

More Related Contents:

  1. ASP.NET MVC – Set custom IIdentity or IPrincipal
  2. Can some hacker steal a web browser cookie from a user and login with that name on a web site?
  3. Self Tracking Entities vs POCO Entities
  4. FormsAuthentication.SignOut() does not log the user out
  5. WCF on IIS8; *.svc handler mapping doesn’t work
  6. Mixing Forms authentication with Windows authentication
  7. How can I fix the Kerberos double-hop issue?
  8. Making a WCF Web Service work with GET requests
  9. Asp.net forms authentication and multiple domains
  10. Store/assign roles of authenticated users
  11. How to remove returnurl from url?
  12. Forms Authentication Ignoring Default Document
  13. Wcf-The maximum message size quota for incoming messages (65536) has been exceeded?
  14. Impersonate using Forms Authentication
  15. How do modern implementations of Comet/Reverse AJAX work? Any stable C# WCF or ASP.NET implementations?
  16. Can a web.config read from an external xml file?
  17. Allow access for unathenticated users to specific page using ASP.Net Forms Authentication
  18. Exception Logging for WCF Services using ELMAH
  19. WCF: System.Net.SocketException – Only one usage of each socket address (protocol/network address/port) is normally permitted
  20. WCF Service with SignalR
  21. Authentication Service using WCF
  22. Forms authentication: disable redirect to the login page
  23. Can I change the FormsAuthentication cookie name?
  24. Cross Origin Resource Sharing for c# WCF Restful web service hosted as Windows service
  25. Different users get the same cookie – value in .ASPXANONYMOUS
  26. IIS7 Cache-Control
  27. Difference between Html.RenderAction and Html.Action
  28. How to limit page access only to localhost?
  29. how to open a page in new tab on button click in asp.net?
  30. The entry ” has already been added error

Leave a Comment