I think F designed the solution before deeply researching WCF, especially security aspect.
The most early WI, there is a solution to simulate asp.net session. There’s no transfer secure solution.
In 2010-08-11 email, there are BL(business logic) analysis and a encryption sample. The BL is very useful, it’s great. The encryption sample can ensure transfer security, but has some defect.
1, one secure communication contains 2 aspect(or demands), 1 is privacy when transfer, means to encrypt data. After encrypted, a hacker monitored the data transferred, but he can’t understand the information. 2 is anti-deny, means to prevent the data be interpolated or the sender say he didn’t send.
2, the degree of coupling between security codes and BL codes should be reduced as low as possible, and when the system or framework or infrastructure provides the security function or interface, we should use it, not we implement it ourselves. WCF provide security function & extension interface, we don’t need write even one line codes to encrypt data, but edit the configuration file, then the WCF framework will do it. In this way, we only need to focus on the BL.
So the better solution is:
1. The encryption sample use AES algorithm, it’s contained in WCF framework, we can edit configuration file to use it, not write codes.
2. The secure communication also demands digital signature to anti-deny, so the certificate is required. WCF can also support this kind of mode, no codes required.
In fact, (WCF based on certificate) use PKI processing procedure, If you want to know more, I can explain more detail.