How to secure web socket?

P

Programep2015-12-03 21:21:37

Web development

Programep, 2015-12-03 21:21:37

Can you please tell me how to protect the web socket server?
As I present.
1. Let's say there is an authorization form. The code of the authorization page does not yet have a js code with a connection to ws.
2. After authorization, we go to the page where the connection with ws takes place.
Here's how to disable this connection if this is not an authorized user? After all, not only the browser can connect to this socket.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Dmitry Belyaev, 2015-12-03
@Programep

websocket browser client sends cookies (suitable if the socket domain and port match the http domain and page port)
you can also pass parameters to the socket url - a universal solution
When authorizing, we generate a session token for the user, I usually use uuid as such a token
When connecting to the server pass this token to the url, like this:

var protocol = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
var ws = new WebSocket(protocol + '//' + window.location.host + '/' + token);

where the token variable should contain a string with the session token
On the server, with a new websocket connection, look at the url and extract the token from it and get the session from it, if there is no such session, we break the connection

M

MaxEpt, 2015-12-03
@MaxEpt

oauth and json web token, if the server part is on node.js, then here is the material to help resources.infosecinstitute.com/securing-web-apis-p...