Thursday, March 18, 2004

Ivan Comes Through

I reported yesterday that the autogenerated web service proxies are pretty thoroughly broken when it comes to optimizing network roundtrips. That's still true, but the wonderful Ivan Towlson reminded me of a feature that is currently saving my bacon. He pointed out the UnsafeAuthenticatedConnectionSharing on the proxy that causes it to reuse the connection, saving a whole lotta roundtrips. It's “unsafe” because you need to be careful not to reuse the connection for another user against the same web service, as you might wind up providing the wrong credentials. In my case, that's not really a big deal.

I love weblogging - it's sort of like a reverse Google. You put the query out there (after doing your homework, of course), and the results come to you. In return, you try to provide useful information once in a while.

Thanks Ivan!


  1. It’s also unsafe because there’s no authentication of future requests over that connection. There’s no integrity protection or confidentiality either, unless you’re running over SSL. Connection hijacking, packet injection, replay, etc. is possible over such a connection. It’s *really* unsafe. BTW what's the "Remember Me" checkbox supposed to do? I accept cookies from, but I always have to retype my name, email, and URL when I post comments here (and other blogs that use a BlogX/dasBlog back end).

  2. Agreed: it is unsafe in a security context as well - the bar is only as high as forcing the attacker to use man-in-the-middle or hijacking techniques. But there's a (more time-limited) vulnerability there even when authenticating on every connection, so you still need SSL to raise the bar further.

    I'm not sure what's up with "Remember Me". It doesn't work for me either. Fortunately IE's "intellisense" makes up for it, but that is annoying.

    To me, what's more annoying is the fact that my comment feed plain doesn't work. I don't know if that's because of an error in the source data or in the code, but it sure would be nice to get it going. I'll look into both of these and see if I can figure them out.

  3. Have you taken a look at the Proxies that Christian Weyer's addin makes? I know they aren't based on the wsdl.exe or VS.NET proxies, so they may handle this better than what you're using right now.

  4. Yeah, now that you mention it, it's been in the back of my head to check those out. I need to take a look at them for a client anyway - thanks for reminding me.

  5. Finally got around to checking this out. Doesn't look like he deals with it, although the other things he does are cool. Still looks like I need to write my own proxy. Oh well, it's easy enough.