This documentation is archived and is not being maintained.

SecureConversationServiceCredential.SecurityStateEncoder Property

Gets or sets a customized SecurityStateEncoder for encoding and decoding cookie serialization.

Namespace:  System.ServiceModel.Security
Assembly:  System.ServiceModel (in System.ServiceModel.dll)

public SecurityStateEncoder SecurityStateEncoder { get; set; }

In "cookie mode", a service issues the client a security context token (SCT) in the form of a cookie to the client so that it does not have to maintain any security state. The client sends the cookie back in the request message so that the service knows how to unprotect and verify the request message. Because the SCT is often transmitted over a non-secure network, it must be protected.

By default, uses the DataProtectionSecurityStateEncoder class to protect the cookie using the Data Protection API (DPAPI). For DPAPI to work in a Web farm environment, all the backend services must run as the same domain user account. In other words, if the service is Web hosted, then the Internet Information Services (IIS) worker process must be configured to run as a domain user.

This property enables you to use a customized SecurityStateEncoder to encrypt and decrypt the cookie and not depend on DPAPI.

The following code shows how to set this property.

static void Configure(ServiceHost serviceHost)
     * There are certain settings that cannot be configured via app.config.  
     * The security state encoder is one of them.
     * Plug in a SecurityStateEncoder that uses the configured certificate 
     * to protect the security context token state.
     * Note: You don't need a security state encoder for cookie mode.  This was added to the 
     * sample to illustrate how you would plug in a custom security state encoder should
     * your scenario require one.
     * */
    serviceHost.Credentials.SecureConversationAuthentication.SecurityStateEncoder = 
            new CertificateSecurityStateEncoder(serviceHost.Credentials.ServiceCertificate.Certificate);

.NET Framework

Supported in: 4, 3.5, 3.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.