i'm working on simple web app uses jwt authentication. authenticated users may open websocket server, , turns out, more complicated setting authentication header (http headers in websockets client api).
i'm following article https://devcenter.heroku.com/articles/websocket-security#authentication-authorization work around this. above article describes generating ticket authenticated client upon request (the ticket contains user id + ip address), storing ticket (which expires after x seconds), , having client open websocket ticket part of url. (e.g. "ws://localhost:3000/conn/[myticket]" or "ws://localhost:3000/conn?ticket=[myticket]").
here's question: should ticket encrypted? if ticket wasn't encrypted, spoof ip address , forge valid ticket address, knowing ticket unexpired , unused?
follow-up question: how should ticket encrypted? has sent part of url, binary encryption possible, or have utf-8?
Comments
Post a Comment