Secure Login for valid access to WebSocketServer

Sep 7, 2015 at 5:55 AM
Hi Kerry jiang.
We have created the business logic to Access our application by authenticating the user credentials against a database. No problema, now:
1)
All the information is sent in a plane text from the Webbrowser to our WebSocketServer, if possible to protect data without to forcé the client side to install a certificate?

2)
If possible to have a login webpage (aspx) using Windows validation or any other option and, if credentials are valid then let the access to the websocketserver? I mean, the websocket should refuse if there is not authentication token ...

3)
How can We control that a robot try to send multiple login connections to our websocketserver?
Let me explain this. We have a webbrowser client page where a user must input the user name, password and a random capcha, later click connect if everything is fine in remains connected if not he or she is disconnected with the corresponding message ... now, if somebody create a robot and send whatever data to the server port millions of times, the server can get the maxsessions until it disconnect but the robot could send this data indifinetily, how can I avoid that? Maybe, creating a filter of the last IP and if, for example there are more tan five retrys in a short period of times (miliseconds/seconds) of the same IP blocked, but how? because to blocked means it achieve to open a conection ...

Thanks.
Oct 26, 2015 at 4:15 AM
Hello johnatan:

1) SuperWebSocket/SuperSocket.WebSocket support wss, which is transferring level encryption like https over http.
2) Yes, you can. You can login on the website and get the login token. Save the token in the browser cookie, then websocket server can get it.
3)That's your own application level business. But in SuperSocket, there is ConnectionFilter, which I think you van use.