What are the security issues around an open websocket connection?

前端 未结 1 1092
抹茶落季
抹茶落季 2021-02-14 11:26

I am building an application that is using websockets. I am only going to allow authenticated users to open a websocket connection with the server after they have logged in and

1条回答
  •  再見小時候
    2021-02-14 11:43

    1) The connection is safe, when you make it safe on the server side. So you have to send a session ID via WebSockets, verify on the server side that it is correct and mark the connection as valid. Authentication is more difficult with HTTP, because HTTP is stateless ( unlike raw TCP ). Of course it is still possible to hijack TCP connection, but it's not that easy ( see for example this article ) and if it happens, then nothing ( except for TLS ) can help you.

    2) Well, if you wrap your WebSocket connection with an anonymous function like that:

    (function() {
        var ws = new WebSocket("ws://localhost:1000");
        // some other stuff
    })();
    

    then no external JavaScript will be able to access it, so you don't have to worry about that.

    0 讨论(0)
提交回复
热议问题