I have an application that uses WinForms for the client and an application
server. These two tiers communicate through Remoting.
I need to maintain some form of user session concept (for authentication
purposes, as well as to preserve across-call information on the server
side). There is a system in place to establish a user sesion and provide
credentials by calling a web service through SSL. The client establishes a
session and receives a ticket that must be passed to the server every time a
call takes place.
Although I can pass the ticket on every request as an additional parameter
(opaque string, or maybe even a serializable object), it would be much more
elegant for both tiers to have a customized implementation of
BinaryFormatter that does this automatically. Besides not cluttering
business object calls with an additional parameter, this would also help me
to establish a ticket expiration / replacement scheme that will help to
prevent replay attacks to a degree - or at least shorten the window of
opportunity for these.
I basically need to place some preprocessing code when a remoting call takes
place, add a custom "header" (the IRemotingFormatter interface supports
additional headers), then pass on the request to the channel as .NET would
normally do. On the receiving side (server), I need to intercept the
invokation and do some checks on this custom header, then let .NET
deserialize the main call data and pass it on to the MarshalByRef object
being called.
Has anybody implemented such a scheme? What would be the pros and cons of
this solution?
Kamen Lilov
