WebSocket的认证 [英] Websocket authentication

问题描述

我运行一个WebSocket的服务器，并问自己，如果它的刨光，客户端身份验证将在未来的握手来完成...也许XXXX草案：）

I'm running a websocket server and asking myself, if it's planed, that clients authentication will be done with handshake in future... draft xxxx maybe :)

你有没有信息？我听说有draft07会话ID可以被发送到服务器上，所以也许这可以帮助权威性客户端...

Do you have information? I have heard that with draft07 a session id can be sent to server, so maybe that can help to auth the client...

我在做什么ATM是为最多10秒等​​待，直到客户端发送我login标题，用户名和密码信息。但我觉得这是不是解决方案。你们如何在那里做什么呢？

What I'm doing atm is to wait a maximum of 10 seconds, till the clients sends me a message with login header, username and password. But i think this is not "THE" solution. How do you guys out there doing it?

推荐答案

要握手期间交换的的WebSockets协议允许标准的HTTP认证头。如果有，可插入一个现有的Web服务器作为模块的WebSockets服务器然后在Web服务器中现有的认证应该已经工作。否则，如果你有一个独立的WebSockets的服务器，那么你可能需要添加验证支持。

The WebSockets protocol permits standard HTTP authentication headers to be exchanged during the handshake. If you have a WebSockets server that plugs into an existing web server as a module then existing authentication in the web server should already work. Otherwise if you have a standalone WebSockets server then you may need to add the authentication support.

更新

作为@乔恩所指出的，不像普通的HTTP / XHR请求，浏览器API不允许您为WebSocket的连接设置任意X- *的标题。您可以设置唯一的标头值是协议。这是不幸的。一个共同的解决方案是使用依赖于现有的HTTP机制授权/认证，然后将此车票与WebSocket连接一起传递和验证这样一个票的系统： https://devcenter.heroku.com/articles/websocket-security

As @Jon points out, unlike normal HTTP/XHR requests, the browser API does not allow you to set arbitrary "X-*" headers for WebSocket connections. The only header value that you can set is the protocol. This is unfortunate. One common solution is to use a ticket based system that relies on existing HTTP mechanism for authorization/authentication and then this ticket is passed along with the websocket connection and validated that way: https://devcenter.heroku.com/articles/websocket-security

这篇关于WebSocket的认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！