Session State Modes

  • InProc
    Default. Store session in memory of the web server.
  • StateServer
    Store session in ASP.NET state service. Preserved when the web application is restarted. Available across web farm.
  • SQLServer
    Store in a database. Preserved when the web application is restarted. Available across web farm.
  • Custom
    Specify custom storage provider.
  • Off
    Disable session.

More reading on: Session-State Modes


Social Survey


Many surveys begin with asking basic information (sex, age, city, etc) before going to the specific questions of the survey. An improvement for this area can be made by letting participants to login with their Facebook / LinkedIn account. By logging in with their social network account, we can directly ask the survey’s specific questions, all the basic information is captured thru the social network accounts. Obviously, privacy is a concern as well as staying anonymous, so the system will only take basic information from the accounts.
Another benefit we can gain from this concept is that the surveyors / researchers can target specific demographic. For example, the researchers want to survey all female living in zip code of 98728. The system (or app) will then notify all its female users who live in 98728 about the available survey. This also gives the researchers real-time survey answers which opens an opportunity for real-time survey such as surveying traffic on a specific hours in a construction site.
Incentive program can also be implemented to encourage participants and responses.


  • Real-time survey and response.
  • Targeted demographic.
  • Time-saving and direct survey.


By using participants’ social network accounts, we gain all the benefits above.

Will it work?

Unity Dependency Injection in ASP.NET MVC Authorize Attribute

Often times, we need custom Authorize attribute used in ASP.NET MVC to customized authorization using our own authorize / authentication service. And with that, we need to inject dependency into the attribute.

In C#, only certain type can be passed into an attribute. To get dependency in an attribute: DependencyResolver.Current.GetService()

public class MyAuthorizationAttribute : AuthorizeAttribute
    public IMyAuthService myAuthService { get; set; }

    public PartDAuthorizationAttribute()
        myAuthService = DependencyResolver.Current.GetService<IMyAuthService>();

    public override void OnAuthorization(AuthorizationContext filterContext)
        if (filterContext.HttpContext.User.Identity.IsAuthenticated)
            bool auth = myAuthService.IsUserAuthorized();
            if (!auth)

Code is written for Unity 3.0 and ASP.NET MVC 4

Differences Between BasicHttpBinding and WsHttpBinding

TLDR: Security: BasicHttp sends request in plain text and WsHttp implements WS-Security. Protocol: in BasicHttp, SOAP 1.1 and WsHttp, SOAP 1.2 (it also supports full WS federation). State management: BasicHttp is stateless, WsHttp supports state management.

Criteria BasicHttpBinding WsHttpBinding
Security support This supports the old ASMX style, i.e. WS-BasicProfile 1.1. This exposes web services using WS-* specifications.
Compatibility This is aimed for clients who do not have .NET 3.0 installed and it supports wider ranges of clients. Many of the clients like Windows 2000 still do not run .NET 3.0. So older version of .NET can consume this service. As its built using WS-* specifications, it does not support wider ranges of client and it cannot be consumed by older .NET version less than 3 version.
Soap version SOAP 1.1 SOAP 1.2 and WS-Addressing specification.
Reliable messaging Not supported. In other words, if a client fires two or three calls you really do not know if they will return back in the same order. Supported as it supports WS-* specifications.
Default security options By default, there is no security provided for messages when the client calls happen. In other words, data is sent as plain text. As WsHttBinding supports WS-*, it has WS-Security enabled by default. So the data is not sent in plain text.
Security options
  • None
  • Windows – default authentication
  • Basic
  • Certificate
  • None
  • Transport
  • Message
  • Transport with message credentials

Source: Difference between BasicHttpBinding and WsHttpBinding

MSDN resource has complete list of the differences between bindings.

An Unsecured or Incorrectly Secured Fault Was Received From The Other Party


The inner FaultException goes something like: System.ServiceModel.FaultException: The message could not be processed because the action ‘; is invalid or unrecognized.

It’s caused by WCF service configured to not communicate in WS-SecureConversation while the client is. Or vice versa. In my case, the client is an ASP.NET MVC 4 application that is trying to pass token (identity delegation) over to a WCF 4.5 service through WSTrustChannelFactory protocol.

Both of the client and the service must be configured to use same security context. If you want to turn WS-SecureConversation off, turn off on both config. Same applies to turning on WS-SecureConversation.

        <security mode="TransportWithMessageCredential">
            <message establishSecurityContext="false" />

WCF Client Config Template with Identity Delegation (WSTrust)

A minimal config for a client (for example, ASP.NET MVC application, ASP.NET Web Form application, or another WCF service application), that is a relying party to WIF (or any STS), to consume a WCF service (SOAP) using Identity Delegation (with WSTrust protocol). Identity Delegation allows the client to call WCF service and pass in the claims as if it’s being called by the user of the client. Compare Identity Delegation to Trusted Subsystem.

This config is auto-generated with “Add Service Reference” wizard from WCF service config in WCF Config Template for Identity Delegation with WIF.

This config DOES NOT include setting integrating the client with WIF. For example of this, see WIF 3.5 Relying Party Config Template.

Note that:
http://localhost:11000 is the Secure Token Service (STS) URL.
http://localhost:58829 is service’s endpoint address.

<?xml version="1.0" encoding="utf-8" ?>
                <binding name="WS2007FederationHttpBinding_IService">
                            <issuer address="http://localhost:11000/Issue.svc" binding="ws2007HttpBinding"
                                    <dns value="IdentityTKStsCert" />
                            <issuerMetadata address="http://localhost:11000/Issue.svc/mex" />
                                <trust:SecondaryParameters xmlns:trust="">
                                    <trust:KeyType xmlns:trust=""></trust:KeyType>
                                    <trust:KeySize xmlns:trust="">256</trust:KeySize>
                                    <trust:KeyWrapAlgorithm xmlns:trust=""></trust:KeyWrapAlgorithm>
                                    <trust:EncryptWith xmlns:trust=""></trust:EncryptWith>
                                    <trust:SignWith xmlns:trust=""></trust:SignWith>
                                    <trust:CanonicalizationAlgorithm xmlns:trust=""></trust:CanonicalizationAlgorithm>
                                    <trust:EncryptionAlgorithm xmlns:trust=""></trust:EncryptionAlgorithm>
                <binding name="http://localhost:11000/Issue.svc">
                        <message clientCredentialType="Certificate" negotiateServiceCredential="false" />
            <endpoint address="http://localhost:58829/Service.svc" binding="ws2007FederationHttpBinding"
                contract="ServiceReference.IService" name="WS2007FederationHttpBinding_IService">
                    <certificate encodedValue="AwAAAAEAAAAUAAAAQKHSYiv" />

To create ChannelFactory and pass in the secured token from the client:

// Get the token
WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory( stsBinding, stsAddress );
WSTrustChannel channel = (WSTrustChannel) trustChannelFactory.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue);
rst.AppliesTo = new EndpointAddress(serviceAddress);
RequestSecurityTokenResponse rstr = null;
SecurityToken token = channel.Issue(rst, out rstr);

// Use the token, pass in to WCF service
IHelloService serviceChannel = channelFactory.CreateChannelWithIssuedToken<IHelloService>( token ); serviceChannel.Hello(“Hi!”);

Additional resource: MSDN WSTrustChannelFactory and WSTrustChannel

WCF Config Template for Identity Delegation with WIF 3.5

A minimal config for WCF (.Net 4.5) service. The binding allows Identity Delegation with WIF 3.5. For WIF 4.5, use Identity and Access Tool.

The config template includes WIF configuration. It’s necessary because the WCF service, in this case, is a relying party.

Note that:
http://localhost:11000 is the Secure Token Service (STS) URL.
http://localhost:58829 is service’s endpoint address (the relying party).

The downside with this is that you can’t invoke the service with WCF Test Client. It will complain about “SOAP security negotiation failed.” with inner exception “Client certificate is not provided”. This is because WCF Test Client is not configured with SOAP security negotiation (maybe there’s a way?).

<?xml version="1.0"?>

        <!--For WIF 3.5-->
        <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />


        <compilation debug="true" targetFramework="4.5" />


            <!--For Identity Delegation-->
                <binding name="ws2007FederationHttpBinding_IService">
                    <security mode="Message">
                    <!--TransportWithMessageCredential requires HTTPS-->
                    <!--<security mode="TransportWithMessageCredential">-->
                            <issuerMetadata address="http://localhost:11000/Issue.svc/mex" />



            <!--For Identity Delegation-->
            <service name="Acme.AccountService.Service" behaviorConfiguration="AcmeService.Service_Behavior">
                <endpoint binding="ws2007FederationHttpBinding" bindingConfiguration="ws2007FederationHttpBinding_IService" contract="Acme.AccountService.Contracts.IService" />



                <!--For Identity Delegation-->
                <behavior name="AcmeService.Service_Behavior">
                    <federatedServiceHostConfiguration />
                    <serviceMetadata httpGetEnabled="true" />
                    <serviceDebug includeExceptionDetailInFaults="true" />
                        <serviceCertificate findValue="40A1D2622BFBDAC80A38858AD8001E09454987AD" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
                    <serviceAuthorization principalPermissionMode="Always" />


        <!--For Identity Delegation-->
                <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

        <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

        <modules runAllManagedModulesForAllRequests="true"/>

    <!--For WIF 3.5-->
        <service saveBootstrapTokens="true">
                <add value="http://localhost:58829/" />

                <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:11000/Issue.svc" realm="http://localhost:58829/" requireHttps="false"/>
                <cookieHandler requireSsl="false"/>

            <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
                    <add thumbprint="40A1D2622BFBDAC80A38858AD8001E09454987AD" name="http://localhost:11000/Issue.svc"/>