Re: [hybi] hybi Digest, Vol 51, Issue 14
Adam Rice <ricea@google.com> Mon, 10 June 2013 07:37 UTC
Return-Path: <ricea@google.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4BF21F885A for <hybi@ietfa.amsl.com>; Mon, 10 Jun 2013 00:37:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.377
X-Spam-Level:
X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZ4gQlSLpzK2 for <hybi@ietfa.amsl.com>; Mon, 10 Jun 2013 00:37:37 -0700 (PDT)
Received: from mail-bk0-x22c.google.com (mail-bk0-x22c.google.com [IPv6:2a00:1450:4008:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 447BC21F84E7 for <hybi@ietf.org>; Mon, 10 Jun 2013 00:37:36 -0700 (PDT)
Received: by mail-bk0-f44.google.com with SMTP id r7so3136716bkg.3 for <hybi@ietf.org>; Mon, 10 Jun 2013 00:37:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7bSlpLOcLMxqPybUtU2ye1romvyrEdLx4M0+4Z2FHrc=; b=ENB9Ha8GXzD0g1WsuAONCJeq8NvfMg3qdwIfqLCSCIFIm7qDiPRg9YQMSUanM1kSy2 QZOQ6dK7URwHOPI7ATKZJerKg2JlVi/wS3HvZq2oyjnHpBsELEh7SShA0hDb/oT+MOCU E5ewPX5SMMery68UOYw0FQE5OEphyNTURiEQiUO/R1ABivomQDqiTzNrbRugzv3Jd/s1 TIsR6Y58BEC0YbSoo+WTbYeQQBOCvEERFN6aK3rloaUSFMpgD4V18sdgnppA5zKCEMGI AkHC8cRXypBDgfEtVMJvQ9fy2aOMoPXMBqRVIzzGesXql5zSESO2I5fUV7FTPZZjoHoQ 15ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=7bSlpLOcLMxqPybUtU2ye1romvyrEdLx4M0+4Z2FHrc=; b=XMRY6g7E/mUD3Ry3VUaje3A+5tJqGQb4KBkGDY5jpCjRy3/xpfQzMUdjZmTRZkMuuh /xDMR/RhQWWCA+IBtEAqmkEG1M4rrlSiRohsW57XJVOrwcoPDXOupG94vV9h6jpXKcmV Fq4/sH2+B2hI/HdqCtiHqoxVrUHWeIoac7jLRvpohLFS3uR8ejc/0HyB2yDbGIgtxmXJ fY2Kny9uN4dL2lxDbbdGyHbJs8p0PtZCJJWqvr2SRf1rC2JB+q0HquCmv3VCPuB38xM5 Rc1XfImeFN09DGRPS6ly0Uqw4nJcBagSPRWUZdH2s/DQiSXE5cLvsSY7nMQpTMEhhfgA Vipg==
MIME-Version: 1.0
X-Received: by 10.204.225.73 with SMTP id ir9mr1304707bkb.45.1370849856084; Mon, 10 Jun 2013 00:37:36 -0700 (PDT)
Received: by 10.204.35.195 with HTTP; Mon, 10 Jun 2013 00:37:35 -0700 (PDT)
In-Reply-To: <CANEdHmi7Rvb0SinwVmRBEFJMsVW3bPeOn_3f4qB33NfeYBJj6Q@mail.gmail.com>
References: <mailman.3.1369767603.10801.hybi@ietf.org> <CANEdHmgDD4OCQf009FijtEjU=LzhLoNLZHvXsBxgROmzAyR4+w@mail.gmail.com> <CAH9hSJYfhnmCOF7a9uovsYLObqdXwop35JB6r3PscFwfeO=R=g@mail.gmail.com> <CANEdHmi7Rvb0SinwVmRBEFJMsVW3bPeOn_3f4qB33NfeYBJj6Q@mail.gmail.com>
Date: Mon, 10 Jun 2013 16:37:35 +0900
Message-ID: <CAHixhFp0YoacRBB4AxqNv5YEN9hrqmm32MJ+3o9NcRO1ojN9KQ@mail.gmail.com>
From: Adam Rice <ricea@google.com>
To: Scott Morgan <scott@adligo.com>
Content-Type: multipart/alternative; boundary="485b3970d098b6e7cc04dec7daf1"
X-Gm-Message-State: ALoCoQkynu4jJVi0QBK0QQs8ioRA5JIsI4WGReWL4ciLbPm8g1QErzOVnA/8dJNVWu29l342JueM5Yx3xBozTXcjygcL11uIPFfznskLprxcWAn1IC+YFwcQwVx4tYz6DV1G1u2P2L0a9JEYyZueU7nH9Le5Qk6V1rOzPrSaSWbqx4i5CfRYoh2fbmdQZOhu/X9TIHsttqZx
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] hybi Digest, Vol 51, Issue 14
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2013 07:37:38 -0000
On 2 June 2013 02:55, Scott Morgan <scott@adligo.com> wrote: > Yes and actually I am going to change the way I do this after reading the > rfc. I am going to use regular http(s) for the authentication part so > this would change to the following. > > 1 Browser sends authentication to the server over https > 2 Server notes the ip address of the request and responds with a ws url to > the client if successful ie. wss://example.com/valid?session=123 > 3 Browser connects to url wss://example.com/valid?session=123 > 4 Server checks the ip address of the original https request with the wss > connection > to make sure they are the same, and takes appropriate action (closes > the wss connection if they are NOT, or some other appropriate action) > > It seems to me that storing the session ID in a cookie would make this easier. If you want to put the session ID in a URL, I would recommend making it single-use, although that means you need some mechanism to get a new session ID if the WebSocket connection fails. RFC6455 allows WebSocket connections to use a different proxy than HTTPS connections. Although I'm not aware of any client that actually implements this, you should not assume that all requests from the same sender will come from the same IP.
- Re: [hybi] hybi Digest, Vol 51, Issue 14 Takeshi Yoshino
- Re: [hybi] hybi Digest, Vol 51, Issue 14 Scott Morgan
- Re: [hybi] hybi Digest, Vol 51, Issue 14 Scott Morgan
- Re: [hybi] hybi Digest, Vol 51, Issue 14 Takeshi Yoshino
- Re: [hybi] hybi Digest, Vol 51, Issue 14 Adam Rice
- Re: [hybi] hybi Digest, Vol 51, Issue 14 Scott Morgan
- Re: [hybi] hybi Digest, Vol 51, Issue 14 Adam Rice
- Re: [hybi] hybi Digest, Vol 51, Issue 14 Scott Morgan