I don't think WSE 2 or 3 come with built-in replay detection, other than for
the UsernameToken profile.
Another option is to cache every message ID or signature value in some data
store and, when a new message arrives, check the incoming message's
ID/signature value against the list of messages already received.
You also need to perform risk analysis on a replay attack. For instance, if
a replay attack causes your code to attempt to update a database with
duplicate data, depending on your criteria it could be rejected
automatically. Therefore, in that case, a replay is theoretically a
non-issue, except if you're worried about DoS attacks.
"Scott Seely" wrote:
This isn't a simple thing to do.Typically, one uses something like
WS-Security plus a nonce cache to handle things. These things are really hard
to write and get right. I recommend using WSE or WCF. Both items have already
solved the problem.
"Baheri" wrote:
Does any one have a sample on how can replay attacks be prevented in a
webservice?