Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
729 views
in Technique[技术] by (71.8m points)

security - WebSockets authentication

What are the possible ways to authenticate user when websocket connection is used?

Example scenario: Web based multi-user chat application through encrypted websocket connection. How can I ensure (or guarantee) that each connection in this application belongs to certain authenticated user and "can't be" exploited by false user impersonation during the connection.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

If you're already doing authentication for the non-websocket part of your app, just pass the session cookie along as the first message after connecting and check the cookie as you normally would.

WARNING: It's been pointed out that the following doesn't work when flashsockets are used:
If you're using socket.io, it's even easier—the cookies are passed through automatically on connection, and can be accessed like the following:

var io = require('socket.io');
var socket = io.listen(app); 
socket.on('connection', function(client){ 
    cookies = client.headers['cookie'];
});

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...