AJAX Q & A Question 7: Support For ASP.NET Session When Calling WCF Services
The question was posed to me whether ASP.NET Session state is supported when calling WCF Services from the ASP.NET AJAX Client libraries. Without looking into it, you would assume no. You would assume this because WCF was designed to be transport independent. One of the key tenets of WCF is the separation of the service contract and implementation from how it is exposed (transport, address, etc.). This means that WCF was designed so that you can expose the same service over Http and TCP.
Mixed Transports Mode
Because ASP.NET Session state is dependant upon the Http Pipeline (for more on the http pipeline see this article), you would assume that WCF would not have access to Session. In the default configuration, you would assume correctly. By default, WCF services hosted in IIS run in what is known as 'Mixed Transports Mode'. In this mode, the request is intercepted in the BeginRequest stage of the Http Pipeline. It is then routed through the WCF channel stack. As a result, many of the ASP.NET features available to asmx services are not available to WCF services, including Session. From the documentation, the following features are not available in this mode:
HttpContext: current is always null when accessed from within a WCF service.
File-based authorization: The WCF security model does not allow for the access control list (ACL) applied to the .svc file of the service when deciding if a service request is authorized.
Configuration-based URL Authorization: Similarly, the WCF security model does not adhere to any URL-based authorization rules specified in System.Web’s <authorization> configuration element. These settings are ignored for WCF requests if a service resides in a URL space secured by ASP.NET’s URL authorization rules.
HttpModule extensibility: The WCF hosting infrastructure intercepts WCF requests during the PostAuthenticateRequest stage and does not return processing to the ASP.NET HTTP pipeline. Modules that are coded to intercept requests at later stages of the pipeline do not intercept WCF requests.
ASP.NET impersonation: By default, WCF requests always executes as the IIS process identity, even if ASP.NET is set to enable impersonation using System.Web’s <identity impersonate=”true” /> configuration option.
ASP.NET Compatibility Mode
When hosting WCF Services in IIS, you have another mode known as 'ASP.NET Compatibility Mode' available to you. In this mode, WCF services participate fully in the ASP.NET pipeline lifecycle. In this mode, you DO have access to Session and other ASP.NET features. As I have described before, WCF adheres to an opt-in model. In other words, in WCF, you have to actively configure services for desired features. The following details the steps to configure asp.net compatability mode:
1. Enable ASP.NET Compatability mode at the application level through the following configuration in the web.config: <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />. Here is a sample config file:
2. Explicitly opt-in for the compatibility mode by decorating your service with the AspNetCompatibilityRequirements, setting the RequirementsMode to AspNetCompatibilityRequirementsMode.Allowed or *.Required. See the following sample:
3. Lastly, in order to access the Session, import the System.Web namespace. You can now access session through the HttpContext. See above:
For more detailed information on this subject, see Wenlong Dong's post on the subject.
If you have a question you would like addressed, send me an email to rob.bagby@microsoft.com.
Regards
Comments
- Anonymous
September 26, 2007
PingBack from http://aspnetsecurity.com/?p=35