I am currently building a webpage with a game using html5 canvas and websockets. I have a websocket server written in perl running on server:3000. On the server I have also installed apache, and made a website that the user can visit: http://server/. javascript on this page creates a websocket to ws://server:3000
Connection works and I can send messages from my browser and get the responses, everything shown in a div for now. The messages that I send are for now only "message:...", so the server knows that it is a message and outputs '...' to all users currently connected to the "game".
Now the problem is that anyone could write their own client that would connect to ws://server:3000 and send/receive appropriate messages. This way they would use my backend, but not my client (I would like them to play only from http://server/).
How can I ensure that only my client is used? The main concern is cheating. You could write a bot that connect to a port and plays for you by sending messages and intepreting the ones that it receives...How to overcome this issue?
Authentication FlowThe server generates a temporary external authentication token, stores it in the Authentication Cache, and returns it to the client. The client makes a WebSocket handshake request with the external authentication token passed as a query-string parameter in the handshake endpoint URL.
In order to communicate using the WebSocket protocol, you need to create a WebSocket object; this will automatically attempt to open the connection to the server. The URL to which to connect; this should be the URL to which the WebSocket server will respond.
A server can open WebSocket connections with multiple clients—even multiple connections with the same client. It can then message one, some, or all of these clients. Practically, this means multiple people can connect to our chat app, and we can message some of them at a time.
Use wss:// instead of ws://. This adds a security layer over your communication. Use a server like Nginx for reverse proxying websockets and enable SSL over them.
I'm using a Jetty web server.
I am using Basic authorisation. I used this at first simply because it was easy to implement. However, after discovering the authorisation issue presented by websockets, I think basic authorisation is a good mechanism to use.
The upgrade request header has authorisation data hashed in it:
Accept-Encoding:gzip, deflate, sdch Accept-Language:en-GB,en-US;q=0.8,en;q=0.6 Authorization:Basic YWRtaW46cm9vdA== Cache-Control:no-cache Connection:Upgrade
In my websocket server, with each OnMessage event I call:
session.getUpgradeRequest().getUserPrincipal()
I can then use this information to decide whether the data is authorised to be processed. Also, I check the origin of the socket in the OnConnect event:
session.getUpgradeRequest().getOrigin()
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With