Re: [hybi] About authentication mechanism

Iñaki Baz Castillo <> Wed, 22 June 2011 10:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3AA3211E80D7 for <>; Wed, 22 Jun 2011 03:43:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.663
X-Spam-Status: No, score=-2.663 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mQhT7aXsTEOI for <>; Wed, 22 Jun 2011 03:43:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7CAAC11E80EC for <>; Wed, 22 Jun 2011 03:43:04 -0700 (PDT)
Received: by qyk9 with SMTP id 9so3214840qyk.10 for <>; Wed, 22 Jun 2011 03:42:48 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id h19mr317540qcm.268.1308739368469; Wed, 22 Jun 2011 03:42:48 -0700 (PDT)
Received: by with HTTP; Wed, 22 Jun 2011 03:42:48 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <>
Date: Wed, 22 Jun 2011 12:42:48 +0200
Message-ID: <>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc:, Greg Wilkins <>
Subject: Re: [hybi] About authentication mechanism
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Jun 2011 10:43:05 -0000

2011/6/22 Ian Fette (イアンフェッティ) <>om>:
>> Ok, but take into account that not all the WS connections would be
>> preceded by an access to a web page. Let's imagine a desktop wigdet
>> (or an Android app!) that directly open a WS connection (without
>> opening first a web page, so the client cannot authenticate via an
>> HTML form in "any custom way"). What to do then? How to prompt the
>> user for credentials? which authentication mechanism to use? So there
>> would be needed:
> A desktop widget / android app / ... surely already faces this problem with
> whatever communication mechanism they use, and I would be frankly amazed if
> they expected to solve it with http auth...


- Web developers don't like HTTP authentication in web pages and
prefer authentication at application level. I agree, it's nicer, but
it relies on the fact that HTTP usualy carries a web page (application
data) in which the user can fill a form, submit, and get
authentication and a Cookie for a session.

- This WG does not want to cover authentication mechanism at all for
WebSocket protocol, and instead leave it again at application level.
But here there is no a rendered web page in which the user can fill a
login form. So...

Assuming that any websocket connection would be preceded by a web
access (in which login and a session Cookie has been got) would be a
terrible error IMHO. So, does nobody agree that WS needs a built-in
authentication mechanism? Honestly I cannot understand. Hope I miss
something very important in this topic.

PS: Ian, could I know what you propose on this topic? For now you have
given reasons not to mandate HTTP auth. Could I know how will Google
authenticate WS connections in separate just-WS-servers? maybe
validating the Cookie header (initially retrieved from the web page)
against a centralized storage backend? or maybe you plan to build an
authentication mechanism within the WS carried subprotocol? (just
wondering, I don't want to know Google's internals).


Iñaki Baz Castillo