Menu
I'm trying to authenticate a client to my secure WebSocket server (wss) for registered member area.
Once a member is connected to the web server, I record, in a database, a unique token (associated to the member) that I displayed in a hidden field on the page initiating the connection to the Web Socket server.
Then the token is sent to the WebSocket server that authenticates the account using the token.
I'm really not a security expert, and I wanted your opinion as to the security of my authentication.
Are there any risks (except cookie hijacking)? Are there any better way to proceed considering that WebSocket doesn't prescribe any particular way that servers can authenticate clients during the WebSocket handshake.
I use Ratchet WebSocket.
894
WebSockets let anyone tunnel an arbitrary TCP service. An example is tunneling a database connection directly through and reaching the browser. In the case of a Cross-Site Scripting attack it evolves and ends up becoming a complete security breach.
Like HTTPS, WSS (WebSockets over SSL/TLS) is encrypted, thus protecting against man-in-the-middle attacks. A variety of attacks against WebSockets become impossible if the transport is secured.
Yes, one option is to use cookies (and TLS to avoid cookie hijacking):
Have the cookie set after "plain old HTML form based" login, transmit the cookie to WebSocket server, and use the cookie to authenticate the WebSocket.
Here is a complete example of doing Mozilla Persona based authentication with WebSocket.
You asked about Ratchet. This example is not Ratchet, but it might give you some clues - which is why I think it's ok to point to.
78
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
