2
I was wondering what an authentication process would look like on a Websocket server.
I intend to use the Javascript API for Websocket. But I would like to have a more restricted and controlled access in relation to the applications that will have connection to this server. The problem is that since Websocket is a layer apart from the application (i.e., Websocket does not have access to the application session), it "does not know" whether or not the authenticated user is authenticated in the other layer.
I would like to know what are the means to restrict an access to a Websocket.
For example: I want that, in an application, where I notify the user the status of their purchase, they have access to this information in real time through Websocket. Only I need this one to be "confirmed" as being the same as the one authenticated in my application.
Is there any technique or specific recommendation regarding authentications on Websocket servers?
I thought of implementing some kind of token. It would be a good option?
Editing:
Num article I read on the Internet on authentication in Websockets, I found an excerpt which, translated, says the following:
It is a common misconception that an authenticated user in the web hosting application is also authenticated in the socket flow. These are two completely different channels
Couldn’t you just use the same app session cookie? I don’t understand the restriction you mentioned, "Websocket doesn’t have access to the application session".
– Bacco
Wallace maybe this will help: https://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api, http://blog.stratumsecurity.com/2016/06/13/websockets-auth/
– Miguel
@Bacco example: Using Laravel backend on the server, but would like to use Websocket (which does not have access to the same data).
– Wallace Maxters