Authenticate websocket clients using tokens?

StackOverflow https://stackoverflow.com/questions/23493899

  •  16-07-2023
  •  | 
  •  

Pregunta

I want to provide a websocket based Service to my registered users. The Website Frontend is running on Server A, the WebSocket-Service is running on Server B.

I want to make sure that Server B won't grant acces to an user that is not authenticated by Server A. Also I want to avoid that a session can be hijacked.

I came up with this approach but I never implemented security for websockets. Might this be a good approach?:

  • When a client wants to connect with my WebSocket, Server A requests a token from Server B. The Server B will generate this Token and send it back to Server A.

  • Server B will store the token in a cache.

  • Now the client is allowed to connect to the WebSocket. The clients first Message contains the token.

  • Server B checks whether the token can be found in the cache and whether the token is already used by an active Session.

  • If everything is fine the client will be registered and is allowed use the service.

Is this a good approach? Is there a better solution I wont have to implement by myself?

I read this solution: Best way to create a TOKEN system to authenticate web service calls?

But since my users will send up to 500 messages per minute (thats the highest possible value..but still possuble) I think this could cause some trouble...

¿Fue útil?

Solución

What is wrong with cookies?

If both servers are in the same 2nd level domain (web.example.com and websocket.example.com), they can share cookies.

The websocket connection will send the existing cookies for that 2nd level domain during the negotiation.

So you can perform authentication in the web server, return an authentication cookie, and then the websocket will send that cookie to the server again. The websocket server should be able of opening and reading the cookie.

"500 messages per minute" are 8 messages per second, it should not be a problem. Websocket connections are established once, there is not a new connection per each message. A websocket is different than a webservice.

Cheers.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top