I am building an application that is using websockets. I am only going to allow authenticated users to open a websocket connection with the server after they have logged in and have been granted a session id.
Once I have opened a websocket connection with an authenticated user, the current "page" then holds the details of the open websocket connection. At this point, is this connection relatively safe? Or should I really be checking some token on every message within my own application level protocol that comes in over the websocket?
Are there any known cross-site forgery type security issues? Where someone could coop an open websocket by getting the authenticated user to execute some javascript in some manner - resulting in the ability to exploit the open websocket connection?
1) The connection is safe, when you make it safe on the server side. So you have to send a session ID via WebSockets, verify on the server side that it is correct and mark the connection as valid. Authentication is more difficult with HTTP, because HTTP is stateless ( unlike raw TCP ). Of course it is still possible to hijack TCP connection, but it's not that easy ( see for example this article ) and if it happens, then nothing ( except for TLS ) can help you.
2) Well, if you wrap your WebSocket connection with an anonymous function like that:
(function() {
var ws = new WebSocket("ws://localhost:1000");
// some other stuff
})();
then no external JavaScript will be able to access it, so you don't have to worry about that.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With