WebSocket的身份验证安全性 [英] WebSocket authentication security

问题描述

我想客户端进行身份验证为注册会员专区我的安全的WebSocket服务器（WSS）。

I'm trying to authenticate a client to my secure WebSocket server (wss) for registered member area.

在一个构件被连接到web服务器，我记录，在数据库中，以独特的令牌（关联到部件），我显示在发起到Web套接字服务器的连接在网页上的隐藏字段

Once a member is connected to the web server, I record, in a database, a unique token (associated to the member) that I displayed in a hidden field on the page initiating the connection to the Web Socket server.

，则该标记被发送到使用该令牌认证该帐户的WebSocket服务器

Then the token is sent to the WebSocket server that authenticates the account using the token.

我真的不是安全专家，我想你的意见，我认证的安全性。

I'm really not a security expert, and I wanted your opinion as to the security of my authentication.

是否有任何风险（除饼干劫持）？是否有更好的办法进行考虑的WebSocket没有prescribe服务器会WebSocket的握手期间验证客户端的任何特定方式。

Are there any risks (except cookie hijacking)? Are there any better way to proceed considering that WebSocket doesn't prescribe any particular way that servers can authenticate clients during the WebSocket handshake.

我用棘轮的WebSocket。

I use Ratchet WebSocket.

推荐答案

是的，一种选择是使用cookies（和TLS避免饼干劫持）：

Yes, one option is to use cookies (and TLS to avoid cookie hijacking):

小甜饼基于老式HTML表单后设置登录，发送cookie来的WebSocket服务器，并使用cookie来验证的WebSocket。

Have the cookie set after "plain old HTML form based" login, transmit the cookie to WebSocket server, and use the cookie to authenticate the WebSocket.

下面是一个<一个href=\"https://github.com/tavendo/AutobahnPython/tree/master/examples/twisted/websocket/auth_persona\">complete这样做的 Mozilla的假面基于身份验证的WebSocket的例子。

Here is a complete example of doing Mozilla Persona based authentication with WebSocket.

您问棘轮，我知。这个例子不棘轮，但它
  可能会给你一些线索 - 这就是为什么我认为这是确定为指向

You asked about Ratchet, I known. This example is not Ratchet, but it might give you some clues - which is why I think it's ok to point to.

这篇关于WebSocket的身份验证安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！