Reputation: 1723
How to make websocket authentication?
I work on web application and I want to have live notifications to a user via websockets. These notifications should be received only by a user whose notifications belong to. I wonder if it's good idea to pass an temporary authentication token (which would be unique for a user) to javascript and the script connects to websocket server and pass the authtoken as a parameter to make a handshake. Is it secure solution to pass auth token to javascript and then login via websocket using this authentication token? Of course web app is secured by ssl and web socket server also.
Upvotes: 1
Views: 1716
Answers (1)
Reputation: 706
You can try
User authenticate to Web app Server
Web app Server will generate 1 Key Code for this session ( Maybe Md5 with salt is username) if user are valid
Web app Server send this key to Web Socket server
Web app Server send this key to client-side
Client will send this key to websocket server to authenticate
If socket contained this key -> user is valid -> OK, continue to transfer data between socket and client, Else Web socket server will stop this connection.
It will be secure because authenticate key is unique and SSL will make it be better. Hope it'll help you. And this was our solution for building a FOREX System : Authenticate via CAS ( Single Sign ON ) and Websocket to send the index data. In our case, CAS server will generate 1 Single Sign On ID, and we use it to validate.
Upvotes: 1
Related Questions
- Websocket Security
- WebSockets authentication
- Websocket server: how to authorize clients?
- Websocket security authentication with own credentials
- WebSocket authentication security
- Websocket authentication
- Configuring authentication headers for WebSocket connection
- How can I authenticate websocket connection
- Authentication before opening a Websocket
- How to make the safest Websocket Authentication