SecureConversationServiceCredential.SecurityStateEncoder Property

Definition

Gets or sets a customized SecurityStateEncoder for encoding and decoding cookie serialization.

public:
 property System::ServiceModel::Security::SecurityStateEncoder ^ SecurityStateEncoder { System::ServiceModel::Security::SecurityStateEncoder ^ get(); void set(System::ServiceModel::Security::SecurityStateEncoder ^ value); };
public System.ServiceModel.Security.SecurityStateEncoder SecurityStateEncoder { get; set; }
member this.SecurityStateEncoder : System.ServiceModel.Security.SecurityStateEncoder with get, set
Public Property SecurityStateEncoder As SecurityStateEncoder

Property Value

A SecurityStateEncoder object, which is a customization of DataProtectionSecurityStateEncoder.

Examples

The following code shows how to set this property.

static void Configure(ServiceHost serviceHost)
{
    /*
     * There are certain settings that cannot be configured via app.config.
     * The security state encoder is one of them.
     * Plug in a SecurityStateEncoder that uses the configured certificate
     * to protect the security context token state.
     *
     * Note: You don't need a security state encoder for cookie mode.  This was added to the
     * sample to illustrate how you would plug in a custom security state encoder should
     * your scenario require one.
     * */
    serviceHost.Credentials.SecureConversationAuthentication.SecurityStateEncoder =
            new CertificateSecurityStateEncoder(serviceHost.Credentials.ServiceCertificate.Certificate);

Remarks

In "cookie mode", a service issues the client a security context token (SCT) in the form of a cookie to the client so that it does not have to maintain any security state. The client sends the cookie back in the request message so that the service knows how to unprotect and verify the request message. Because the SCT is often transmitted over a non-secure network, it must be protected.

By default, Windows Communication Foundation (WCF) uses the DataProtectionSecurityStateEncoder class to protect the cookie using the Data Protection API (DPAPI). For DPAPI to work in a Web farm environment, all the backend services must run as the same domain user account. In other words, if the service is Web hosted, then the Internet Information Services (IIS) worker process must be configured to run as a domain user.

This property enables you to use a customized SecurityStateEncoder to encrypt and decrypt the cookie and not depend on DPAPI.

Applies to