Menu
Example scenario: Web based multi-user chat application through websocket connection. How can I ensure (or guarantee) that each connection in this application belongs to certain authenticated user and "can't be" exploited by false user impersonation or intervene during the connection.
by the way I am using tornado websocket on server side to implement basic chat room and already doing authentication for the non-websocket part of my app.
ps : suppose authenticated user posts what he wants and when other user open the listing page of item and automatically other user is added to list of websocket listeners what I want each user able to chat with buyer of the item individually not in a chatroom way but with one to one chat
707
First and foremost, there are two things you should remember about WebSockets: (a) it's an evolving standard and (b) it is designed with the intention of working with untrusted clients.
The biggest and most important thing you should always do with WebSockets is check their origin. If the origin is mismatched, obviously you don't want to deal with that client, so ignore their requests. Additionally, make sure you're using the "wss" secured WebSocket protocol rather than the "ws" unsecured protocol. This will ensure that your messages are encrypted.
The problem with just doing this, is that this information can be spoofed. See this blog post for a quick demonstration of this.
Additional Security:
Hope that helps! Sorry if it doesn't. This is my frist answer on StackOverflow. :P
152
I'm pretty sure the websocket connection sends up any cookies that have been established in the non-websocket connection to your app. You should be able to query Django's session store for the connection's cookie and determine the user that socket belongs to.
Check out: https://docs.djangoproject.com/en/1.3/topics/http/sessions/#configuring-the-session-engine
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
