Hello, to make long things short.. i will sort my WCF scenario (IIS is the host, windows form App as a client): 1- in my wcd, i have a login method (Login(string user, string password)), this method returns a GUID, the client calls the method.
2- if at server side the user and password were correct, the method creates a random GUID in the database along with the authenticated username, returns the GUID.
3- in client side, the GUID is stored in the memory.
4- now all other methods in the server has the first parameter as SessionID, for example (GetSomethingMethod(Guid SessionID, string param1, int param2)) and so on.
5- in server side, in each method i call a static method to check the sessionID, if the session exists and the owner of that session has the authority to perfrom that method, i return True, if not i return false along with a custom FaultException (SessionExpired).
now this scenario seems ok so far, i don't have to worry about a lot of things so far, but the problem if i want to use the same service from a website.. Should i simply put my sessionID in a cookie? or should i change the whole scenario from now before things get real serious? i still have time to change the whole concept.. I read a lot of blogs and questions here but actually it wasnt really clear enough in the (applying them part) even if it was clear by theory. i just need your opinion guys. I read a lot for the past 72 hours about security scenarios in WCF.. to be honest its not really clear to me and some times it sounds like rocket science to me :(
Regards to all.