How automatic reconnection is handled when dealing with authenticated connections?

[Raito Bezarius]

Hello !

I was wondering in Autobahn|JS how the automatic reconnection when socket was closed or whatever was handled / made with authenticated connection, let me illustrate this:

You have a login flow where the user put his password, when he click on the "Connect" button, it creates a autobahn.Connection object with options:

{

   url: whatever,

   realm: whatever,

   authmethods ["wampcra"],

   onchallenge: myOnChallenge,

   authid: form.username

}

Okay, then, Autobahn calls myOnChallenge when he receive the CHALLENGE message (correct me if I'm wrong), so here is the myOnChallenge method (wampcra scheme is assumed) :

function myOnChallenge(session, method, extra) {

var secret = form.password;

[...]

}

But, to prevent to keep the password in my variables, I want to forget about it and to delete it.

Then, what if the socket is closed? Does the automatic reconnection "system" will auto-magically re-auth the socket without the need to using the password, or how would you handle that in a web application? Would you store the password in some global store? The hash?

I could redirect the user to the login page whenever there is a problem, but isn't that a bit annoying for the user to be redirected every time and to be asked to type his password? And if he is using a poor connection (mobile, foreign), it would happen more often...

It appears to me to be a very important problem to consider the stability of those authenticated connection.

I'm having some issues around this part of authentication, and I may be wrong or I might be trying to do it in the wrong way.

Thanks you in advance!

[Tobias Oberstein]

Yep, this is a valid concern when using WAMP-CRA authentication - and only that. There are multiple answers here.

1) use WAMP-CRA in combination with cookie authentication.This is actually our recommended auth.
2) An upcoming upgrade would allow WAMP-SALT, TLS certs, TOTP and two factor auth.
3) Session freeze/resume. This is more a longer term feature. It'll allow client sessions to survive transport/connection reestablishments

Sent from Mobile (Google Nexus 5)

--
You received this message because you are subscribed to the Google Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.
To post to this group, send email to autob...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/c7040b5a-7bfb-42da-83bf-8f25226c312d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Raito Bezarius]

For the first one, it would make WAMP-CRA lose his interest because now an attacker could just listen for cookies auth data and use them to steal access. Even if theorically, this problem would be solved using Secure WebSocket (wss).

For the third one, I'm pretty interested into how it could be done? Would the client session share a secret with the router which is a proof of a previous authentication? (implying that it would introduce fresh authentication, which would be very useful).

If you want I can open an issue for it on the Crossbar's repo (it would be the more proper place to open it, I think?)