Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Websocket authentication

Tags:

html

authentication

websocket

I'm running a websocket server and asking myself, if it's planed, that clients authentication will be done with handshake in future... draft xxxx maybe :)

Do you have information? I have heard that with draft07 a session id can be sent to server, so maybe that can help to auth the client...

What I'm doing atm is to wait a maximum of 10 seconds, till the clients sends me a message with login header, username and password. But i think this is not "THE" solution. How do you guys out there doing it?

like image 528
ayk Avatar asked May 29 '11 19:05

ayk

People also ask

How do I authenticate a WebSocket?

Authentication FlowThe client makes a WebSocket handshake request with the external authentication token passed as a query-string parameter in the handshake endpoint URL. The server checks the cache to see if the external authentication token is valid.

Are WebSockets a security risk?

Some WebSockets security vulnerabilities arise when an attacker makes a cross-domain WebSocket connection from a web site that the attacker controls. This is known as a cross-site WebSocket hijacking attack, and it involves exploiting a cross-site request forgery (CSRF) vulnerability on a WebSocket handshake.

Can WebSocket be hacked?

In fact, the Cross-Site WebSocket Hijacking attack is possible when the WebSocket handshake is vulnerable to CSRF. Indeed, the communication channel between the two parties (client/server) is created according to the origin of the opening request.

1 Answers

The WebSockets protocol permits standard HTTP authentication headers to be exchanged during the handshake. If you have a WebSockets server that plugs into an existing web server as a module then existing authentication in the web server should already work. Otherwise if you have a standalone WebSockets server then you may need to add the authentication support.

Update

As @Jon points out, unlike normal HTTP/XHR requests, the browser API does not allow you to set arbitrary "X-*" headers for WebSocket connections. The only header value that you can set is the protocol. This is unfortunate. One common solution is to use a ticket based system that relies on existing HTTP mechanism for authorization/authentication and then this ticket is passed along with the websocket connection and validated that way: https://devcenter.heroku.com/articles/websocket-security

like image 190
kanaka Avatar answered Sep 30 '22 00:09

kanaka
Sign in to Comment

Related questions

How do I correctly inherit templates in flask that use bootstrap?
Is it possible to pixelate an image without canvas?
Which is the correct or better way to create a new element with jQuery?
CSS :last-of-type not working in combination with :not
HTML5, ES6 template string polyfill
jQuery: How to select text between two closed html tags
str_ireplace or preg_replace replaced break tag into \r\n
3rd Level JQuery Dropdown Not Displaying
Is there a browser agnostic way to increase a checkbox's size without changing HTML markup?
Force facebook to open link in external browser for smart phones
Getting OSX Safari to honor css "white-space: pre"
onchange event and programmatic input value change conflict on IE
Angular Material 2 : How to put a fab button on top of the md-table at the bottom right corner?
How can you do WebRTC over a local network with no internet connection?
How to check if text is truncated by CSS using Javascript
Reading HTML file to DOM tree using Java
What is the optimum way to handle broken images?
jQuery html() and self-closing tags
Know what overflow:hidden has hidden
Detect Zoom in Firefox

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!