XBAP Security Question and poking around for thoughts
-
We have a WPF/XBAP application that the user downloads and executes once authenticating through an ASP.NET portal. After authenticating, ASP.NET passes the user's information (and some other configuration information) using a temporary cookie(s). The XBAP then uses this information to authenticate with a WCF service that the XBAP uses until the XBAP is closed by the user. Of course the security hole here is that someone could potentially retrieve the cookie information from memory before the cookies are deleted, load the XBAP from the click-once cache, and put that cookie information in IE for the XBAP to retrieve. Of course the steps to do that are a little more complicated then what I mentioned, but you should get the idea. Does anyone have any ideas on how the XBAP and it's communication between ASP.NET and the WCF service could be made more secure? I'm trying to think like a "hacker" so we can make this solution more secure, but I'm running out of options in my thought process. We've thought about requiring the user to also authenticate using a login screen in the XBAP, but all of us know what kind of reaction we would get from users if they had to login twice.