For WCF bindings that use message-layer security, a timestamp header will be added in the SOAP envelope to ensure the timely delivery of the message so as to prevent a potential message-replaying attach. However, some non-WCF service platforms may not expose this header. When working with this kind of service client or service, we will need to prevent the WCF message engine from generating the timestamp header.
Using WSHttpBinding as an example, we can create a customized binding that derives most of the setting of the built-in WSHttpBinding (but suppresses the timestamp header generation).
The following code snippet demonstrates how to create the CustomBinding and configure the certain binding element to disable timestamp header generation.
private static Binding GetCustomHttpBinding()
{
WSHttpBinding wshttp = new WSHttpBinding();
var bec = wshttp.CreateBindingElements();
SecurityBindingElement secbe = bec.Find<SecurityBindingElement>();
// Not to include Timestamp header
secbe.IncludeTimestamp = false;
// Suppress the message relay detection
secbe.LocalServiceSettings.DetectReplays = false;
secbe.LocalClientSettings.DetectReplays = false;
CustomBinding cb = new CustomBinding(bec);
return cb;
}
The code first locates the SecurityBindingElement instance from the default element collection of wsHttpBinding. It then sets the IncludeTimestamp property to false. Also, it is necessary to turn off the DetectReplays property on the LocalServiceSettings and LocalClientSettings members.
Finally, we can apply this CustomBinding to any endpoint that needs to suppress the timestamp header.
Since the timestamp header is a security feature that performs a message-replaying check, the WCF programming model exposes this setting through the SecurityBindingElement type. However, only setting the SecurityBindingElement.IncludeTimestamp to false is not enough, because this only helps remove the timestamp header; the runtime will still perform replay detection on incoming/outgoing messages. Therefore, we also need to turn off the DetectReplays property on LocalServiceSettings and LocalClientSettings collection.
By comparing the underlying SOAP messages, we can find the obvious difference in the SoapHeader section before and after we disable the timestamp header generation. The next screenshot is a SOAP message captured before removing the timestamp header:
The following screenshot is for a SOAP message captured after removing the timestamp header:
