1

Preamble: I understand that there were quite a few similar questions on SO that ask the same thing. All of them are about different implementations of the idea, or use other languages and platforms, and didn't answer my question.

I have a website running at https://sub3.domain.edu/page_x and a WebSocket server running at https://sub1.sub2.domain.edu/page_y (names obviously changed for privacy). Both addresses belong to domain.edu, which is my university website.

Currently, users will login to my website at the first link using basic HTTP auth. The actual authentication, i.e. checking the username and password, is handled by an Apache module on the first server only.

Right now, no authentication is needed to connect to the WS server, which makes it open to DDOS attacks (the WebSocket server performs CPU intensive work for every connected user). I merely connect like this:

ws = new WebSocket ('wss://sub1.sub2.domain.edu/page_y/wss')

My goal is to figure out how to use the first website's authenticated session to connect to the second server. How do I modify the website to send something (like a token) that my WebSocket server can recognize as an authenticated user and then allow access? The WebSocket server is a node.js app running at the address I specified above.

I cannot install the Apache module used on the first server since that can only be done by the university IT department, who will not do it for a self-administered machine. I don't want to move the website to the second server because I would really like to use the university Apache module, since it is the same authentication used for all university apps, and we would prefer that our users don't have to remember another password for our site.

norandomtechie
  • 31
  • 2
  • 9

1 Answers1

1

If you can ask the owner of SITE 1 (where the apache module exists) to share the cookies across the two subdomains See How do browser cookie domains work? for detailed explanation

If the subdomain is rightly set, once user is logged in with SITE 1, SITE 2 will have the cookie set too. You then have two options on SITE 2 server side.

Option 1 - Site 2 (server side) needs to be able to validate cookie of SITE 1. (you need to share the secret by which SITE 1 creates the cookie and sets it when reading on your side.

Option 2 - Site 2 (server side) can communicate internally with SITE 1 (/check-cookie ('true-false')

Whether you use Option 1 or Option 2 , You need to integrate answer from Websockets token authentication using middleware and express in node.js and listen to the upgrade event on your server side (SITE 2) to check the cookie on http upgrade connection on websocket handshake. blocking access if it is not authenticated cookie invalid using option 1 or option 2.

Claudio Viola
  • 289
  • 2
  • 5
  • I asked, but they weren't cool with the idea. I think they mentioned XSS as a potential risk factor, but I'm not sure how that worked. I haven't been able to get a clarification, either. – norandomtechie Dec 28 '19 at 13:15