IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Hector Santos <hsantos@isdg.net> Mon, 30 August 2010 04:16 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 247F03A6927 for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 21:16:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.048
X-Spam-Level:
X-Spam-Status: No, score=-4.048 tagged_above=-999 required=5 tests=[AWL=-2.049, BAYES_00=-2.599, J_CHICKENPOX_63=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQlRaVjTp0m2 for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 21:16:04 -0700 (PDT)
Received: from mail3.winserver.com (mail3.winserver.com [208.247.131.15]) by core3.amsl.com (Postfix) with ESMTP id A61C83A6918 for <hybi@ietf.org>; Sun, 29 Aug 2010 21:16:03 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Mon, 30 Aug 2010 00:16:46 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 2759833671; Mon, 30 Aug 2010 00:16:44 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Mon, 30 Aug 2010 00:14:45 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3347931266; Mon, 30 Aug 2010 00:14:45 -0400
Message-ID: <4C7B309E.4050303@isdg.net>
Date: Mon, 30 Aug 2010 00:16:30 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: John Tamplin <jat@google.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com>
In-Reply-To: <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 04:16:05 -0000

John Tamplin wrote:

> How many websites actually use HTTP Auth to protect the data?  In my
> experience, not many, because they want to control how the user logs
> in and of limitations like not supporting logout.  

John, one really can't design protocols based on subjective opinions 
like this.  HTTP AUTH is a standard and it should be expected it will 
be used regardless of the perceived numbers.

I still see many sites use HTTP AUTH. Our system allows operators to 
use BASIC, DIGEST and cookie-based form logins and mixed depending on 
the user browser setting. BASIC was the original offering and there 
are still many customers using it, mostly combined combined with SSL. 
DIGEST was still optional so you didn't guarantee it and JS was still 
something that wasn't forced upon their users - for security reasons.

Of course today, you see more JS logins and we push the more 
"acceptable" javascript based logins, but its not forced.

Also, PCI requirements can caused many non-standard javascript login 
implementations to fail. DIGEST+SSL with NONCE support is acceptable 
for PCI compliance.

Also, you can have a logout box even with BASIC/DIGEST by combining it 
with a session cookie.  Issuing a 403, combining with a 401 again when 
the session cookie is not there, will invalidate the credentials in 
most, if not all the browsers tested over the years.  Only when the 
user has cookies off,  do we redirect them to a "CLOSE YOUR BROWSER" page.

> Anyway, this strikes me as something to go over in detail when we are
> further down the road from where we are.  I think we need to finish up
> the framing and get basic agreement on how the handshake should look,
> and then we can take up how to get credentials to a WebSocket server.

+1, and when we get there, IMV a key design question will be if a 401 
will trigger a HTTP AUTH browser popup or whether the websocket class 
should have a  OnAuth() event where perhaps the JS can do a redirect 
to a login page.

For that matter, offer the main "page change flow" events:

   OnAuth()      triggered by 401
   OnRedirect()  triggered by 302

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email