Re: Securing Web Servicesq

From: <Andy>
Date: Thu, 21 Dec 2006 11:49:43 -0000

I forgot to say, a replay attack on the same session is also avoided because
each packet has an incremental sequence number which is remembered by the
SSL session.

<Andy> wrote in message news:uZrppoOJHHA.3916@xxxxxxxxxxxxxxxxxxxxxxx

The stream can not be replayed. Each SSL connection has a unique session
key so just replaying an old stream on a new connection will not work

Remember to only send a hash of the password and not the full password.
This means that you don't have to store actual passwords on the server.

Regards,

Andy Kendall

"Chris" <nospam@xxxxxxxxxx> wrote in message
news:ucJtBbHJHHA.1044@xxxxxxxxxxxxxxxxxxxxxxx

I want to secure a web service so only authorized client apps can use it.
Will using SSL with an encrypted username and password in the soap header
do the job? I know you could potentially capture a post to a web service
(or anything sent over the web). Will SSL mean you can't capture the
stream to the web service and resend it? I am thinking if the post to the
web service contains the username and password then it is useless unless
SSL means it can't be captured and reused? Regards.

References:
- Securing Web Servicesq
  - From: Chris
- Re: Securing Web Servicesq
  - From: Andy

Prev by Date: Re: Securing Web Servicesq
Next by Date: SslStream.AuthenticateAsClient is slow (calling the RemoteCertificateValidationCallback)
Previous by thread: Re: Securing Web Servicesq
Next by thread: SslStream.AuthenticateAsClient is slow (calling the RemoteCertificateValidationCallback)
Index(es):
- Date
- Thread

Relevant Pages

Re: How do Large Scale Web Service Applications Maintain Session State?
... cache these profiles on the server in order to increase performance. ... which is something different than stateful Web Service classes. ... We do pass a session token as ... Having systems deployed through web services allows clients to access via ...
(microsoft.public.dotnet.framework.webservices)
Re: Help understanding sessions in Web service w/ legacy VB6 event handling
... ArrayList declared as a member of the Web service class. ... Both are marked with the "enable session" ... After all the event handlers have processed all the fired events, ...
(microsoft.public.dotnet.framework.webservices)
SSL and IPS (was RE: ssh and ids)
... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
(Focus-IDS)
Re: Reality Check: Session Hijacking
... choice to force the visitor to accept session cookies to keep the session ... cookie is simply a cookie that dies when the browser is closed, ... Note that the visitor will not see the new URL in the browser (it still says ... implementing "if not SSL then unset isAuthenticated". ...
(comp.lang.php)
RE: Load balancing with NTLM or Basic authentication.
... The load balancer we’re going to use has the capability to be issue an SSL ... So it is able to maintain the SSL session with the client. ... application server. ... So our last piece of the puzzle was the issue of authentication. ...
(microsoft.public.inetserver.iis.security)