This code covers the .NET (VB) implementation of
the security of webservices using the Microsoft "The Favorites Service" security
Let's explain how "The
Favorites Service" security schema (implemented in C++): the user passes the
login and the password using SSL to the Logon method and receives a one-hour
valid key. After that, each method is called with this one-hour valid key as
parameter and with the rest of parameters. To reduce the possibility to overload
the traffic between web server and database by flooding the web service with
requests with invalid keys, the web service determines if the key is generated
by the web service. If the key is ok then the method is served. The only risk to
break this security is to somebody sniff the key and to use it in one hour
The code implements the generation, validation
and the usage of the (hashed) keys in VB.NET. Trying to reduce the above
security risk I changed the secret with the IP address of the request. So, the
"bad guy" must be able to sniff the key in addition to spoof the IP web
service's client (or to be behind the same proxy).
A little background (from MSDN): The hash is used
as a unique value of fixed size representing a large amount of data. Hashes of
two sets of data should match if and only if the corresponding data also
matches. Small changes to the data result in.
Unzip the source code file into a folder and make it Virtual directory through
Internet Services Manager.