What are the security issues around an open websocket connection?

Question

I am building an application that is using websockets. I am only going to allow authenticated users to open a websocket connection with the server after they have logged in and

Answer 1

1) The connection is safe, when you make it safe on the server side. So you have to send a session ID via WebSockets, verify on the server side that it is correct and mark the connection as valid. Authentication is more difficult with HTTP, because HTTP is stateless ( unlike raw TCP ). Of course it is still possible to hijack TCP connection, but it's not that easy ( see for example this article ) and if it happens, then nothing ( except for TLS ) can help you.

2) Well, if you wrap your WebSocket connection with an anonymous function like that:

(function() {
    var ws = new WebSocket("ws://localhost:1000");
    // some other stuff
})();

then no external JavaScript will be able to access it, so you don't have to worry about that.