IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Hector Santos <hsantos@isdg.net> Mon, 30 August 2010 03:03 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A27B93A68FC for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 20:03:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.424
X-Spam-Level:
X-Spam-Status: No, score=-4.424 tagged_above=-999 required=5 tests=[AWL=-1.825, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8fIvOWvb-xVk for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 20:03:19 -0700 (PDT)
Received: from mail3.winserver.com (mail3.winserver.com [208.247.131.15]) by core3.amsl.com (Postfix) with ESMTP id 320BB3A68FA for <hybi@ietf.org>; Sun, 29 Aug 2010 20:03:19 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Sun, 29 Aug 2010 23:04:02 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 2755470390; Sun, 29 Aug 2010 23:04:01 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Sun, 29 Aug 2010 23:02:02 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3343568157; Sun, 29 Aug 2010 23:02:02 -0400
Message-ID: <4C7B1F93.5030000@isdg.net>
Date: Sun, 29 Aug 2010 23:03:47 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: John Tamplin <jat@google.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com>
In-Reply-To: <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 03:03:20 -0000

John Tamplin wrote:
> On Sun, Aug 29, 2010 at 8:44 PM, Greg Wilkins <gregw@webtide.com> wrote:

> I agree that we need to solve authentication with WebSockets, but 
> it isn't clear emulating HTTP Auth is the best answer.  Since 
> the connection is under program control and the program has 
> presumably already authenticated itself with the server, perhaps 
> just providing a way to pass credentials to the WebSocket 
> constructor (which would then be passed in the handshake) would be
> sufficient.  Of course that could always be done by client and server
> agreement to send the credentials as the first message, though it may be
> common enough to support it directly rather than having every app reinvent
> it slightly differently.

+1, IMO, this would be a session management implementation issue.

We had this design requirement since 1996 with our multi-device 
connections and dealing with common user session management between 
the different clients.  The server will always need to check and 
secure for independent websocket entry points.

Whether a server application needs call for signaling an 
authentication requirement via websocket is another subject to discuss.

In our design, we have two clients that can be started via a browser - 
one Native GUI, the other Java-Based. They both start a TCP session 
for interactive I/O communications over a PPP framing API layer/wire. 
So two sessions are started - one browser, one non-browser.

Regardless of how authentication takes place via browser, HTTP AUTH or 
cookies, when the non-browser is launched, a session id is passed 
which will clone the session.

If the login takes place via the native GUI client, the user has an 
option to open a homepage browser session by passing a session id as 
part of the url.

No matter what method and direction is used, the backend server needs 
to control/secure all that any way.

Overall, the issues we experience is controlling direct url request 
that might bypass the initial authentication and/or cookie settings, 
including javascripting requirements.

I don't currently see how websockets will change this or the need 
correct session management on the back one.

The following illustration can illustrate the point:

    http://www.winserver.com/public/vimg.wct?src=wcrpcnet7.png

The light yellow WCRPC is our missing piece and WEBSOCKET is what we 
excited us to possibly use.  But User can connect with any of the 
yellow WCN clients.

Session management controls is important and I will also note to 
product managers it might change any user/node licensing you have.  It 
was one of the first things we had to do back in 1996 since users were 
no long connecting just one way.


-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email