0

The service attribute SessionMode.NotAllowed and maxConcurrentSessions of serviceThrottling can be used simultaneously with wshttpbinding.

Does this mean that they perhaps refer to two different concepts of session?

E.g. SessionMode.NotAllowed = stateless service.
maxConcurrentSessions = max. concurrent (different?) security negotiations.

EDIT:
From this answer to another question I have understood that "WCF will check that app.config [maxConcurrentSessions] is consistent with attributes [SessionMode.NotAllowed] and refuse to start the service if they are not consistent".
When SessionMode.NotAllowed is declared and this disables the use of sessions, shouldn't WCF then refuse to start the service because of the contradicting configuration with maxConcurrentSessions?

Community
  • 1
  • 1
Gerard
  • 13,023
  • 14
  • 72
  • 125

1 Answers1

1

SessionMode.NoAllowed says that the contract must be implemented in a stateless way

For NetTcp this would prevent the service starting as its inherently sessionful, for WSHttpBinding it will suppress the session

maxConcurrentSessions will have no effect if you use SessionMode.NotAllowed as there will be no sessions to throttle

WSHttpBinding uses SecureConversation to support its concept of session if its available. If its not available it will use reliable messaging if its available. If neither are available it cannot support session

I wrote a blog article about this stuff a while back

Update in Response to Edit

Secure conversation and Sessions are not the same thing. Secure Conversation can be used whether or not you have sessions. One way WSHttpBinding supports session is to the use the negotiation of secure conversation to define the session. However, if you say SessionMode.NotAllowed then WCF will simply not have a sessionID and not support session - it doesn't mean it won't use secure conversation

maxConcurrentSessions limits the maximum number of concurrent sessions. If you turn off session then the number of sessions will be 0 and so will always be less than the maximum

Richard Blewett
  • 6,089
  • 1
  • 18
  • 23
  • See my edited question. What I want to achieve is "no session, no state" but also: authentication just once for the first call and then maintain this secure connection. – Gerard Jul 21 '11 at 08:15