1

I'm working on a simple web app that uses JWT authentication. Only authenticated users may open a Websocket with the server, and as it turns out, this is more complicated than setting an Authentication header (HTTP headers in Websockets client API).

I'm following this article https://devcenter.heroku.com/articles/websocket-security#authentication-authorization to work around this. The above article describes generating a ticket for an authenticated client upon request (the ticket contains user id + IP address), storing the ticket (which expires after X seconds), and then having the client open a Websocket with the ticket as part of the URL. (e.g. "ws://localhost:3000/conn/[myticket]" or "ws://localhost:3000/conn?ticket=[myticket]").

Here's my question: should this ticket be encrypted? If the ticket wasn't encrypted, could somebody spoof an IP address and then forge a valid ticket from that address, knowing that the ticket is unexpired and unused?

Follow-up question: how should this ticket be encrypted? It has to be sent as part of a URL, so is binary encryption possible, or does it have to be UTF-8?

Community
  • 1
  • 1
Cody
  • 1,178
  • 3
  • 12
  • 26
  • 2
    Generate a 16 byte string, from a cryptographically secure random number generator. Store this server side using SHA-256. Check that the ticket received on the Websocket matches one in your database when hashed. And finally, protect the client-side: Use HTTPS so you can use WSS instead of WS, and check the Origin header to prevent Websocket Hijacking. – SilverlightFox Sep 28 '15 at 10:02
  • Thanks for the help! Although I'm a bit confused, is the randomly generated 16 byte string supposed to be the ticket? Don't I need to include a user id / IP address? – Cody Oct 01 '15 at 04:58
  • 1
    Yes, that's the ticket. No need for user identifier or IP address - your server side storage mechanism should be able to tie it to the user account. – SilverlightFox Oct 01 '15 at 09:26
  • 1
    I know this is an old question but I wonder why you need a "ticket" if you can send your jwt token (access token) in the websocket headers and then verify it server side – Two Horses Sep 23 '21 at 20:05

0 Answers0