WebSocket 认证安全 [英] WebSocket authentication security

问题描述

我正在尝试向注册会员区的安全 WebSocket 服务器 (wss) 验证客户端.

I'm trying to authenticate a client to my secure WebSocket server (wss) for registered member area.

一旦成员连接到网络服务器，我就会在数据库中记录一个唯一的令牌(与成员相关联)，我将其显示在启动与网络套接字服务器连接的页面的隐藏字段中.

Once a member is connected to the web server, I record, in a database, a unique token (associated to the member) that I displayed in a hidden field on the page initiating the connection to the Web Socket server.

然后将令牌发送到使用令牌对帐户进行身份验证的 WebSocket 服务器.

Then the token is sent to the WebSocket server that authenticates the account using the token.

我真的不是安全专家，我想就我的身份验证的安全性征求您的意见.

I'm really not a security expert, and I wanted your opinion as to the security of my authentication.

是否存在任何风险(cookie 劫持除外)?考虑到 WebSocket 没有规定服务器可以在 WebSocket 握手期间对客户端进行身份验证的任何特定方式，是否有更好的方法来继续.

Are there any risks (except cookie hijacking)? Are there any better way to proceed considering that WebSocket doesn't prescribe any particular way that servers can authenticate clients during the WebSocket handshake.

我使用 Ratchet WebSocket.

I use Ratchet WebSocket.

推荐答案

是的，一种选择是使用 cookie(和 TLS 来避免 cookie 劫持):

Yes, one option is to use cookies (and TLS to avoid cookie hijacking):

在基于普通 HTML 表单"登录后设置 cookie，将 cookie 传输到 WebSocket 服务器，并使用 cookie 对 WebSocket 进行身份验证.

Have the cookie set after "plain old HTML form based" login, transmit the cookie to WebSocket server, and use the cookie to authenticate the WebSocket.

这是一个完整示例<强>基于 Mozilla Persona 的 WebSocket 身份验证.

Here is a complete example of doing Mozilla Persona based authentication with WebSocket.

您询问了 Ratchet.这个例子不是 Ratchet，但它可能会给你一些线索 - 这就是为什么我认为可以指出.

You asked about Ratchet. This example is not Ratchet, but it might give you some clues - which is why I think it's ok to point to.

这篇关于WebSocket 认证安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！