5

I set up a Node.js HTTP server. It listens to path '/' and returns an empty HTML template on a get request.

This template includes Require.js client script, which creates Socket.IO connection with a server.

Then all communication between client and server is provided by Web Sockets.

On connection, server requires authentication; if there are authentication cookies then client sends them to server for validation, if no cookies then client renders login view and waits for user input, etc.

So far everything works, after validating credentials I create a SID for user and use it to manage his access rights. Then I render main view and application starts.

Questions:

  • Is there a need to use HTTPS instead of HTTP since I'm only using HTTP for sending script to the client? (Note: I'm planning to use Local Storage instead of cookies)

  • Are the any downfalls in using pure Web Sockets without HTTP?

  • If it works, why nobody's using that?

Pood1331
  • 235
  • 1
  • 3
  • 8

2 Answers2

3

Is there a need to use HTTPS instead of HTTP since I'm only using HTTP for sending script to the client? (Note: I'm planning to use Local Storage instead of cookies)

No, HTTP/HTTPS is required for handshake for websockets. Choice of HTTP or HTTPS is from security point of view. If you want to use it for simply sending script then there is no harm. If you want to implement user login / authentication in your pages then HTTPS should be used.

Are the any downfalls in using pure Web Sockets without HTTP?

Web sockets and HTTP are very different. If you use pure Web Sockets you will miss out on HTTP. HTTP is the preferred choice for cross-platform web services. It is good for document traversal/retrieval, but it is one way. Web socket provides full-duplex communications channels over a single TCP connection and allows us to get rid of the workarounds and hacks like Ajax, Reverse Ajax, Comet etc. Important thing to note is that both can coexist. So aim for web sockets without leaving out HTTP.

If it works, why nobody's using that?

We live in the age of HTTP, web sockets are relatively new. In the long term, web sockets will gain popularity and take up larger share of web services. Many browsers until recently did not support web sockets properly. See here, IE 10 is the latest and only version in IE to support web sockets. nginx, a wildly popular server did not support web sockets until Feb-March 2013. It will take time for web sockets to become mainstream but it will.

user568109
  • 47,225
  • 17
  • 99
  • 123
  • Thank you for response, very comprehensive. Cross-platform argument determined my solution, but I agree with you that future belongs to web sockets. – Pood1331 Mar 26 '13 at 22:29
2

Your question is pretty similar to this one

Why use AJAX when WebSockets is available?

At the end of the day they were both created for different things although you can use web sockets for most, if not everything which can be done in normal HTTP requests.

I'd recommend using HTTPS as you do seem to be sending authentication data over websockets (which will also use the SSL, no?) but then it depends on your definition of 'need'.

Downfalls - Lack of support for older browsers

It's not used this this in many other situations because it's not necessary and it's still 'relatively new'.

Community
  • 1
  • 1
Sam
  • 2,771
  • 2
  • 28
  • 41
  • But isn't Socket.IO's connection already secured? Wouldn't HTTPS be a waste, since after handshake WSS connection will be established? (Note: according to [link](http://blog.kaazing.com/2012/02/28/html5-websocket-security-is-strong/)) – Pood1331 Mar 26 '13 at 17:43
  • 1
    Web socket connection is only secured if you use SSL so you'll need an SSL cert anyway, might as well add on the HTTPS for the server. – Sam Mar 26 '13 at 22:24
  • Thank you, I didn't know that. I'm switching to HTTPS, just like you suggested. – Pood1331 Mar 26 '13 at 22:31