With custom UserNamePasswordValidator, can I kill the user's WPF “session”?

Question

I\'m using a custom UserNamePasswordValidator, which instantiates and logs in to our internal API.

This API exposes an event that\'s fired when the user is \"kicked\" (b

Answer 1

If you expect that service will authenticate each user call with user name and password than you can have any code in your validator. But if you expect using per session service instancing you will probably also use security context (security session). In that case only first request is authenticated by validator and subsequent request are authenticated by token generated during establishing security context.

Edit:

Each running service is represented by InstanceContext class. If you have PerSession services the InstanceContext is same for each call. If you store reference to InstanceContext somewhere you should be able to release instance and close session - I have never tryed but it should be possible.

Answer 2

I found some code at http://www.neovolve.com/post/2008/04/07/wcf-security-getting-the-password-of-the-user.aspx that shows how to use a custom ServiceCredentials class and, from there, passing the user's details all the way through to Thread.CurrentPrinciple.

Starting from that code, I've stashed the Connection object in a custom principal object, which means that I can get to it in a session context. Then, I added a custom CodeAccessSecurityAttribute that checks that connection object to see if it's been disconnected. If it has, an exception is thrown, which kills the user's session.