WebSocket 身份验证 [英] WebSockets authentication

问题描述

当使用 websocket 连接时，有哪些可能的方式来验证用户?

What are the possible ways to authenticate user when websocket connection is used?

示例场景:基于 Web 的多用户聊天应用程序，通过加密的 websocket 连接.我如何确保(或保证)此应用程序中的每个连接都属于某个经过身份验证的用户，并且不能"在连接期间被假冒用户利用.

Example scenario: Web based multi-user chat application through encrypted websocket connection. How can I ensure (or guarantee) that each connection in this application belongs to certain authenticated user and "can't be" exploited by false user impersonation during the connection.

推荐答案

SSL/TLS 可用于使用 X.509 证书对客户端和服务器进行身份验证.这取决于您使用的 Web 应用程序平台.在 apache 中，可以根据列表检查 SSL_CLIENT_CERT 环境变量的有效性已知证书有效.这不需要使用完整的 PKI，也不需要您为每个客户端购买证书.虽然我建议使用 CA 来支持您服务器的 ssl 证书.

SSL/TLS can be used to authenticate both client and server using X.509 certificates. It depends on the web application platform you are using. In apache the SSL_CLIENT_CERT environment variable can be checked for validity against a list of known certificates to be valid. This would not require the use of a full PKI, and would not require you to purchase certificates for each client. Although I recommend using a CA to back your server's ssl certificate.

这篇关于WebSocket 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！