in my old Non-WSE method of doing web services security, I had to get a token from the webserver and have it time out after 2 minutes’then get another one. This was to protect myself from someone discovering and using that token while it was valid. they could do that, but 2 minutes is not enough time to do much damage. But it was still a kludge.
Now WSE2 hasderivedkeyTokenswhich forces a different hash of your username token each time you stick it into your soap header. Cool. Benjamin Mitchell wrote more on this here.
Posted from BLInk!
Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!