Following from my last post bemoaning the lack of transport-level client crediential authentication when running inside IIS, I've started implementing my own encrypted session-transfer between clients and the server. I want to to use Http Headers as a primary way of broadcasting session information, and also because it's difficult for a hacker to know exactly what value to add to the http headers if it's been encrypted left, right and centre. I might extend this to using a cookie as well; but the advantage of relying on http headers is that it means clients other than web browsers will be able to access the services; so long as they can authenticate. The primary focus of my proof of concepts at the moment are on the AJAX side, both Asp.Net Ajax and 'vanilla' Ajax (e.g. jQuery or direct XmlHttp) - since I know that in Silverlight, for example, I'll be using a different endpoint and can probably add the same authentication data to the message itself. The scen...
Replacing my old blog at http://www.lordzoltan.org. C#, rants and other brain vomit