Re: [hybi] Web Socket IP Authentication

[Dave Cridland <dave@cridland.net>]

I'll skip the email discussion as it's not relevant here.

On Thu Sep  2 22:30:04 2010, Hector Santos wrote:
> In any case, the point was that IP authentication *can* be a valid  
> server side consideration for secondary web sockets connections.
> 
> 
And my point is that it is not.


> When the HTTP session authenticates the user with HTTP/COOKIE auth,  
> the binding to the IP is set and this can be used for any pending  
> web-socket clients on the same IP.  Whether a TTL is required, I  
> don't know if its necessary or not since IMV, there is a greater  
> predictability and timeline of events with the HTTP session and WS  
> session than it was with POP3 and SMTP.

Not especially. An HTTP request may be passed through several  
proxies, a WebSocket request is less likely to.

It's important to consider that if the HTTP service provides a  
cookie, then that should be sufficient if it would be sufficient in  
HTTP. I would argue that the whole question of user authentication on  
"the web" is in dire need of a re-examination, but again, this really  
isn't the forum to do it in.

One point you made does apply here too - an IP address, if within the  
AS or local network, is sufficient to authenticate as an otherwise  
anonymous local user. This is the case used to allow SMTP relaying to  
ISP customers. I don't think this will be an option for the vast  
majrotiy of WebSocket services.

Dave.
-- 
Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade