13

I'm running a websocket server and asking myself, if it's planed, that clients authentication will be done with handshake in future... draft xxxx maybe :)

Do you have information? I have heard that with draft07 a session id can be sent to server, so maybe that can help to auth the client...

What I'm doing atm is to wait a maximum of 10 seconds, till the clients sends me a message with login header, username and password. But i think this is not "THE" solution. How do you guys out there doing it?

Silver Phoenix
  • 522
  • 1
  • 5
  • 10
ayk
  • 1,330
  • 2
  • 15
  • 24

1 Answers1

12

The WebSockets protocol permits standard HTTP authentication headers to be exchanged during the handshake. If you have a WebSockets server that plugs into an existing web server as a module then existing authentication in the web server should already work. Otherwise if you have a standalone WebSockets server then you may need to add the authentication support.

Update

As @Jon points out, unlike normal HTTP/XHR requests, the browser API does not allow you to set arbitrary "X-*" headers for WebSocket connections. The only header value that you can set is the protocol. This is unfortunate. One common solution is to use a ticket based system that relies on existing HTTP mechanism for authorization/authentication and then this ticket is passed along with the websocket connection and validated that way: https://devcenter.heroku.com/articles/websocket-security

kanaka
  • 70,845
  • 23
  • 144
  • 140
  • It may be part of the WebSocket specs, but it it not part of the WebSocket API in most browsers. You cannot send custom headers along with the WebSocket handshake in browsers. See https://github.com/SocketCluster/socketcluster-client/issues/9 – Jon Feb 04 '16 at 03:50
  • _"unlike normal HTTP/XHR requests, you cannot set arbitrary "X-*" headers for WebSocket connections."_ - actually @Jon pointed out that you cannot do so via the **WebSocket JS API**. That's not the same as saying it can't be done for *WebSocket connections*. – Madbreaks Mar 28 '16 at 21:35
  • 1
    @Madbreaks good point. I've clarified that this is specifically a WebSocket browser API, rather than a WebSocket protocol limitation. Also, there are some Node.js/JS WebSocket implementations that allow you to set headers. So really it's just the W3C browser API that doesn't provide a mechanism. – kanaka Mar 29 '16 at 16:36