Hi Petri,
It'll depend.
Say you have an existing Web application, where the HTML/CSS/JS is
served by Apache, and the user is authenticated there via mod_auth_tkt
Upon successful authentication, a cookie is set. For the origin of the HTML.
Now, say you have Crossbar.io running, and only used for
WAMP(-over-WebSocket).
You can have the JS read the cookie, and then use WAMP-Ticket
authentication, forwarding the cookie value on the WAMP/WebSocket
connection to Crossbar.io.
Then you can have a custom, dynamic authenticator
https://github.com/crossbario/crossbarexamples/tree/master/authentication/ticket/dynamic
that will get the cookie value as the ticket.
That authenticator code (of yours) then will need to check the cookie.
When the cookie value is cryptographically signed in itself, no further
communication is needed.
If its not (but it should be!), then the authenticator needs to talk to
your actual cookie/auth DB to check.
In the former case (if done right), you _can_ get away without secure
WebSocket. (However, replay attacks!)
In the latter, you MUST use secure WebSocket to make it secure.
But you should use secure WebSocket in general, and always anyway.
Does that help?
Cheers,
/Tobias
> --
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
crossbario+...@googlegroups.com
> <mailto:
crossbario+...@googlegroups.com>.
> To post to this group, send email to
cross...@googlegroups.com
> <mailto:
cross...@googlegroups.com>.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/crossbario/a6ef6754-36ac-480e-9d8e-439cb26ea195%40googlegroups.com
> <
https://groups.google.com/d/msgid/crossbario/a6ef6754-36ac-480e-9d8e-439cb26ea195%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit
https://groups.google.com/d/optout.