Re: [hybi] About authentication mechanism

Iñaki Baz Castillo <> Wed, 22 June 2011 10:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2EB8011E8098 for <>; Wed, 22 Jun 2011 03:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.663
X-Spam-Status: No, score=-2.663 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id miXZf72jwkzf for <>; Wed, 22 Jun 2011 03:07:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 22D3E11E80CF for <>; Wed, 22 Jun 2011 03:07:00 -0700 (PDT)
Received: by qyk29 with SMTP id 29so458600qyk.10 for <>; Wed, 22 Jun 2011 03:06:59 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id g21mr306752qcq.230.1308737219289; Wed, 22 Jun 2011 03:06:59 -0700 (PDT)
Received: by with HTTP; Wed, 22 Jun 2011 03:06:59 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Wed, 22 Jun 2011 12:06:59 +0200
Message-ID: <>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc:, Greg Wilkins <>
Subject: Re: [hybi] About authentication mechanism
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Jun 2011 10:07:01 -0000

2011/6/22 Ian Fette (イアンフェッティ) <>om>:
>> So what about if the websocket server is not the same as the web
>> server from which the JS code has been got? Would the WS handshake
>> request include a Cookie header (that replied in the HTTP 200 OK from
>> the server? so, should the separate websocket server do some magic
>> with the Cookie value to verify ist validity?
> How would you do it if you weren't using WebSockets but instead XHR? I doubt
> you would use HTTP auth...

Usually XHR is sent to the same web server (so using Cookie is very
suitable), am I wrong?
Note however I'm not an expert in XHR so maybe I miss something.

> I agree that a better solution would be to do whatever authentication you
> need when the user goes to the website, and then once the user is
> authenticated open the WS connection and pass some sort of credential. That
> could be via cookies if it's on the same origin, or it could be passed over
> the established WS connection. I don't know that it should be defined in the
> WS API though, as different sites might want to use vastly different
> authentication mechanisms (client-side certs, passwords, oauth, ...). It's
> much more flexible to leave it to the application.

Ok, but take into account that not all the WS connections would be
preceded by an access to a web page. Let's imagine a desktop wigdet
(or an Android app!) that directly open a WS connection (without
opening first a web page, so the client cannot authenticate via an
HTML form in "any custom way"). What to do then? How to prompt the
user for credentials? which authentication mechanism to use? So there
would be needed:

- An API for promting the user for credentials.
- A specified authentication mechanism for "pure websocket" connection
(without depending on a previous HTTP/HTML access).

Have the WG considered this case?

IMHO authentication should occur at protocol level, rather than at
application level. This is true in all the protocols of Internet but
HTTP, which is a jungle. But HTTP usually means displaying a web page
with some HTML form in which the user can interact by setting his
credentials, press "submit" and that's all. Such kind of
authentication level is not possible in WebSocket as a WebSocket
renders nothing to the user, a WebSocket server does reply a web page.

I still see the need to mandate the support of HTTP Digest
authentication in WebSocket (which involves an API and a section in
current specification.


Iñaki Baz Castillo