Reputation: 1340
Websocket authentication
I'm running a websocket server and asking myself, if it's planed, that clients authentication will be done with handshake in future... draft xxxx maybe :)
Do you have information? I have heard that with draft07 a session id can be sent to server, so maybe that can help to auth the client...
What I'm doing atm is to wait a maximum of 10 seconds, till the clients sends me a message with login header, username and password. But i think this is not "THE" solution. How do you guys out there doing it?
Upvotes: 13
Views: 14798
Answers (1)
Reputation: 73225
The WebSockets protocol permits standard HTTP authentication headers to be exchanged during the handshake. If you have a WebSockets server that plugs into an existing web server as a module then existing authentication in the web server should already work. Otherwise if you have a standalone WebSockets server then you may need to add the authentication support.
Update
As @Jon points out, unlike normal HTTP/XHR requests, the browser API does not allow you to set arbitrary "X-*" headers for WebSocket connections. The only header value that you can set is the protocol. This is unfortunate. One common solution is to use a ticket based system that relies on existing HTTP mechanism for authorization/authentication and then this ticket is passed along with the websocket connection and validated that way: https://devcenter.heroku.com/articles/websocket-security
Upvotes: 12
Related Questions
- Websocket Security
- WebSockets authentication
- Authenticating using ws WebSocket
- Websocket server: how to authorize clients?
- Submit form to websocket
- WebSocket authentication security
- Configuring authentication headers for WebSocket connection
- How can I authenticate websocket connection
- Authentication before opening a Websocket
- How to make websocket authentication?