Click here to Skip to main content
15,936,709 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:

Now, I am facing the difficulties with the web service authentication.The client request the web service . Firsty, the client need to login with user name and password. Then, the server will give the token(random/datetime/randomcode) back to access the web service. The client can request the web service with the token key. The web service need to authenticate the token whether it is correct or not.
Now, the following is my code. But I don't know how to continue add the code from the code projecet's web service authentication article. Please help me!
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
using System.Text;

namespace AuthWebApplication
    using System.Security.Cryptography;

    /// <summary>
    /// Summary description for WebService1
    /// </summary>
    [WebService(Namespace = "")]
    [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
    // To allow this Web Service to be called from script, using ASP.NET AJAX, uncomment the following line.
    // [System.Web.Script.Services.ScriptService]
    public class WebService1 : System.Web.Services.WebService
        public WebService1 ()

        //Uncomment the following line if using designed components
        //public AuthHeader SoapAuthentication;

        [WebMethod(Description = "A sample Web Method to demonstrate a simple web Service Authentication using SOAP Headers")]
        public string SampleWebMethod(string Username,String Password)

       if (Username == "demo" && Password == "123")
              return Username + " is an Authenticated User to access the Web Method";
           return "Access Denied for " + Username;


Best regards,
Wai Mar Khaing

1 solution

Do web services support a session? That would be the easiest, but I don't think they do.

The simplest option is simply to maintain a list of valid tokens and their last use (so you can expire them like web sessions). When you issue a token, add it to the list; whenever a service operation is called (or on a timer in a background thread, it doesn't really matter much), check if any tokens need to be taken off the list because they've expired; and, obviously, if you provide a logout method, the token that is logged out should be removed.

You can also bind tokens to an IP address, if they are designed to be short-lifetime, which prevents session hijacking but means that dynamic IP users might lose their token
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900