Description
This code covers the .NET (VB) implementation of the
security of web services using the Microsoft "The Favorites Service" security
modified schema.
Let's explain how "The
Favorites Service" security schema (implemented in C++): the user passes the
login and the password using SSL to the Logon method and receives a one-hour
valid key. After that, each method is called with this one-hour valid key as
parameter and with the rest of parameters. To reduce the possibility to overload
the traffic between web server and database by flooding the web service with
requests with invalid keys, the web service determines if the key is generated
by the web service. If the key is ok then the method is served. The only risk to
break this security is to somebody sniff the key and to use it in one hour
maximum.
The code implements the generation, validation and the
usage of the (hashed) keys in VB.NET. Trying to reduce the above security risk I
changed the secret with the IP address of the request. So, the "bad guy" must be
able to sniff the key in addition to spoof the IP web service's client (or to be
behind the same proxy).
A little background (from MSDN): The hash is
used as a unique value of fixed size representing a large amount of data. Hashes
of two sets of data should match if and only if the corresponding data also
matches. Small changes to the data result in.
Unzip the source code file into a folder and make it Virtual directory through
Internet Services Manager.