如何为webSocket javascript设置cookie标头? [英] How to set cookie header for webSocket javascript?
问题描述
我正在尝试使用kerberos身份验证打开服务器的Websocket,握手期间发生错误(错误代码:400); 我看到不可能通过Web套接字发送凭据,而我要做的是通过Web套接字Cookie设置用户名和密码,服务器将读取它们. 那么,如何为Web套接字设置cookie? 谢谢你,
这取决于浏览器.如果cookie随初始HTTP请求一起启动WebSocket连接而到达,则可以实现处理cookie,但是如果您不能要求用户使用Safari(Safari会发送带有WebSocket打开请求的cookie,而不是Chrome)而不是Chrome(Chrome不会发送) ,您可能必须实现一种机制,让客户端在带内发送会话标识符.
实现此目的的一种简单方法是,客户端代码将会话标识符作为响应open事件的第一条消息发送,而服务器代码将第一条传入消息的内容解释为会话cookie,设置适当的特权上下文(或者如果cookie未知,或者如果不对其承载不授予特权,则可能关闭连接).
或者,如果您的WebSocket协议具有某种结构化的消息基础结构,则可以定义用于将会话cookie传递到服务器的特定消息类型,以及服务器的匹配响应类型,以使客户端知道它的内容.想到了cookie.
与ws://example.com/service?SESSION=123456一样,可能很想在URI参数中传递会话cookie.这在原型制作中就足够了,但是在生产中可能不建议这样做,因为通常应将会话cookie视为比处理从Web服务器请求的URI列表习惯的更为敏感.以这种方式传递会话Cookie可以在短期内起作用,但是可能会通过例如粗心的分析技术而增加其意外暴露的风险.在其他情况下,可以通过在请求的主体中传递敏感标识符(例如,作为所谓的POST参数)来缓解这种担忧,但是WebSocket打开请求不能具有非空主体.
I am trying to open a websocket to a server with kerberos authentication, error during handshake occurs (error code : 400) ; i saw it's not possible to send credentials through web socket and what i have to do is to set the username and password through web socket cookie and the server will read them. So how can i set cookies for web socket ? thank you,
It depends on the browser. You may implement handling cookies if they arrive with the initial HTTP request to initiate a WebSocket connection, but if you can't require your users to, say, use Safari, which sends cookies with WebSocket open requests, and not Chrome, which does not, you'll probably have to implement a mechanism for the client to send in the session identifier in-band.
One simple way to achieve this is for the client code to send in the session identifier as the first message in response to the open event, and the server code to interpret the first incoming message's content as the session cookie, to set up the appropriate privilege context (or perhaps close the connection if the cookie is unknown or otherwise grants no privileges to its bearer).
Alternatively, if your WebSocket protocol has some sort of structured message infrastructure, you may define a specific message type for passing a session cookie to the server, as well as a matching response type for the server to let the client know what it thinks of the cookie.
It may be tempting to pass the session cookie in an URI parameter, as in ws://example.com/service?SESSION=123456. This can be adequate in prototyping, but it is probably ill-advised in production, since session cookies should generally be treated as more sensitive than it is customary to treat the list of URIs requested from a web server. Passing session cookies in such a way can work in the short term, but may increase the risk of their accidental exposure via, say, careless analytics techniques. This concern could in some other context be alleviated by passing the sensitive identifier in the body of the request (for example, as a so-called POST parameter), but WebSocket open requests can not have a non-empty body.
这篇关于如何为webSocket javascript设置cookie标头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
