WebSocket security. How to identify a client?

N

Nikolay Marinkin2015-04-27 05:36:11

User identification

Nikolay Marinkin, 2015-04-27 05:36:11

I am developing an application for VKontakte, and for the first time I use WebSocket technology. In this regard, there is a question about the security of the connection.
Now the authorization scheme is simple:
1. The client authorizes with VK via OAuth
2. The client sends the session received from VK to my server
3. The server checks the validity of the VK session (access_token)
4. If the session is valid, then we authorize the user on our server.
All communication with the server happens through WebSocket. Here the question arises, is it necessary to pass an access_token in each message to verify the user, or is it not necessary using WebSocket?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

N

Nikolai Marinkin, 2015-05-01
@NicoBurno

Issue resolved.
I use socket.io, there is a socket.id parameter - I check it.
In addition, the access_token of the native VKontakte application can be viewed in the headers

X

xmoonlight, 2015-04-27
@xmoonlight

does it work without it?

N

Nicholas, 2015-08-18
@ACCNCC

Not necessary!