DevForce Community Forum : SessionEncryptionKey Best Practices

DevForce Community Forum : SessionEncryptionKey Best Practices http://www.ideablade.com/forum/ This is an XML content feed of; DevForce Community Forum : DevForce 2009 : SessionEncryptionKey Best Practices Sat, 11 Apr 2026 07:54:03 -700 Mon, 08 Dec 2008 19:38:26 -700 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 9.69 360 www.ideablade.com/forum/RSS_post_feed.asp?TID=1014 DevForce Community Forum http://www.ideablade.com/forum/forum_images/IdeaBlade_logo_tm.png http://www.ideablade.com/forum/ SessionEncryptionKey Best Practices : Out-of-the-box, DevForce does... http://www.ideablade.com/forum/forum_posts.asp?TID=1014&PID=3696#3696 Author: kimj
Subject: 1014
Posted: 08-Dec-2008 at 7:38pm

Out-of-the-box, DevForce does not use a secure binding for communications between client applications and a BOS, but this is easily done by using a .config file containing WCF ServiceModel configuration. Here are some sample configuration files showing various security options. We don't yet have an end-to-end tutorial, but that will be coming within the next release or so.

http://www.ideablade.com/forum/uploads/11/Sample_NTier_configs.zip

]]> Mon, 08 Dec 2008 19:38:26 -700 http://www.ideablade.com/forum/forum_posts.asp?TID=1014&PID=3696#3696 SessionEncryptionKey Best Practices : Haven't tried SSL outside... http://www.ideablade.com/forum/forum_posts.asp?TID=1014&PID=3687#3687 Author: kimj
Subject: 1014
Posted: 05-Dec-2008 at 1:35pm

Haven't tried SSL outside of IIS, but I'd guess it would work with a Windows Service too.

I'll need to check around for any examples; we might have to whip up something for you.

]]> Fri, 05 Dec 2008 13:35:53 -700 http://www.ideablade.com/forum/forum_posts.asp?TID=1014&PID=3687#3687 SessionEncryptionKey Best Practices : Got it, the SessionBundle is what's... http://www.ideablade.com/forum/forum_posts.asp?TID=1014&PID=3685#3685 Author: dkearney1
Subject: 1014
Posted: 05-Dec-2008 at 12:12pm

Got it, the SessionBundle is what's protected out-of-the-box.

"... user SSL or customize the binding stack to add security features."

Can or cannot be done when using the BOS as a service (ServerService.v4.exe)?

Where would I find an examples?]]> Fri, 05 Dec 2008 12:12:31 -700 http://www.ideablade.com/forum/forum_posts.asp?TID=1014&PID=3685#3685 SessionEncryptionKey Best Practices : The SessionBundle stores encrypted... http://www.ideablade.com/forum/forum_posts.asp?TID=1014&PID=3684#3684 Author: kimj
Subject: 1014
Posted: 05-Dec-2008 at 10:58am

The SessionBundle stores encrypted credentials, and those credentials will be encrypted using the SessionEncryptionKey if provided, otherwise a default hardcoded key is used. The SessionBundle is created by a Login call (whether performed explicitly or implicitly by the framework), and then passed as part of the message in all subsequent calls.

The encryption key is actually used to generated a salted hash key, which is then used to encrypt the credentials using AES. The default hardcoded key can be obtained from the DevForce assemblies using a disassembler, which is why you might want to specify your own SessionEncryptionKey.

Since encryption is done only on the credentials, if you need to secure the entire message you should use SSL or customize the binding stack to add security features.

]]> Fri, 05 Dec 2008 10:58:47 -700 http://www.ideablade.com/forum/forum_posts.asp?TID=1014&PID=3684#3684 SessionEncryptionKey Best Practices : I'm looking for more information... http://www.ideablade.com/forum/forum_posts.asp?TID=1014&PID=3683#3683 Author: dkearney1
Subject: 1014
Posted: 04-Dec-2008 at 8:38pm

I'm looking for more information on the use and effects of the SessionEncryptionKey attribute of the ObjectServer node in the app.config.

Is there a good reason to override the default?
Is it a random string?
Does it protect only the SessionBundle, or does it protect all data passed between the client and the BOS?

In the end I want to tell my customers that I'm doing my part to protect their data as it's travelling through the wild, and I'm not sure I understand enough to say so confidently.]]> Thu, 04 Dec 2008 20:38:19 -700 http://www.ideablade.com/forum/forum_posts.asp?TID=1014&PID=3683#3683