使用令牌身份验证的WebSocket客户呢? [英] Authenticate websocket clients using tokens?
问题描述
我要提供的WebSocket基于服务我的注册用户。
该网站在前端服务器上A上运行,WebSocket的-Service的服务器B上运行。
I want to provide a websocket based Service to my registered users. The Website Frontend is running on Server A, the WebSocket-Service is running on Server B.
我要确保服务器B将不授予存取权限不是由服务器A.另外我想避免一个会话劫持身份验证的用户。
I want to make sure that Server B won't grant acces to an user that is not authenticated by Server A. Also I want to avoid that a session can be hijacked.
我想出了这个办法,但我从来没有实施安全的WebSockets。
也许这是一个好办法:
I came up with this approach but I never implemented security for websockets. Might this be a good approach?:
-
当客户想与我的WebSocket连接,服务器A请求
从服务器B令牌服务器B就会产生此令牌并发送
回服务器A。
When a client wants to connect with my WebSocket, Server A requests a token from Server B. The Server B will generate this Token and send it back to Server A.
服务器B将存储在缓存中的令牌。
Server B will store the token in a cache.
现在允许客户端连接到的WebSocket。客户端
第一个消息包含令牌。
Now the client is allowed to connect to the WebSocket. The clients first Message contains the token.
服务器B检查是否该令牌可以在高速缓存中找到和
令牌是否已用于活动会话。
Server B checks whether the token can be found in the cache and whether the token is already used by an active Session.
如果一切正常的客户端将被注册,并允许
使用该服务。
If everything is fine the client will be registered and is allowed use the service.
这是一个好方法?有没有更好的解决办法,我不会有由我自己来实现?
Is this a good approach? Is there a better solution I wont have to implement by myself?
我看了这个解决方案:
<一href=\"http://stackoverflow.com/questions/1432664/best-way-to-create-a-token-system-to-authenticate-web-service-calls\">Best方法来创建令牌系统进行身份验证Web服务调用?
I read this solution: Best way to create a TOKEN system to authenticate web service calls?
但由于我的用户将派遣多达500条消息每分钟(那可能的最高value..but仍然possuble)我认为这可能会带来一些麻烦...
But since my users will send up to 500 messages per minute (thats the highest possible value..but still possuble) I think this could cause some trouble...
推荐答案
什么是错的饼干?
如果两个服务器在同一个二级域名(web.example.com和websocket.example.com),它们可以共享区。
If both servers are in the same 2nd level domain (web.example.com and websocket.example.com), they can share cookies.
WebSocket的连接将发送现有的cookie的谈判过程中二级域名。
The websocket connection will send the existing cookies for that 2nd level domain during the negotiation.
所以,你可以在Web服务器上进行验证,返回一个验证cookie,然后WebSocket的会再次发送的cookie到服务器。 WebSocket的服务器应该能够打开和读取cookie的。
So you can perform authentication in the web server, return an authentication cookie, and then the websocket will send that cookie to the server again. The websocket server should be able of opening and reading the cookie.
每分钟500条消息是每秒8条信息,它不应该是一个问题。的WebSocket连接建立一次,没有每每个消息的新连接。一个的WebSocket比web服务的不同。
"500 messages per minute" are 8 messages per second, it should not be a problem. Websocket connections are established once, there is not a new connection per each message. A websocket is different than a webservice.
干杯。
这篇关于使用令牌身份验证的WebSocket客户呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
