Symfony 2 Security
& Websockets Working with tickets

What's websocket?

What's websocket?

A client/server connexion
Work both ways
Stays open
Event based messages

How it's done

Starts with an HTTP request:

GET /socket.io/1/websocket/6mDqTWQ0hWpKY5V_GYWo HTTP/1.1
Host:websocket.symfony2.local:8000
Upgrade:websocket
Connection:Upgrade
Sec-WebSocket-Key:ijIdeSs13H1t6Ez3rZtdaA==
Sec-WebSocket-Version:13
Origin:http://websocket.symfony2.local
Cookie:PHPSESSID=pnsdaav81i2v1lpopenbd9aq93

How it's done

And the server's response:

HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Sec-WebSocket-Accept: 6GRVpnnWRvk90r/nLFsxfrP3+D0=
Upgrade: websocket

Sending messages:

socket.onmessage = function (event) {
  console.log(event.data);
}

socket.send("Much string. Very message. Wow.");

Socket.io Event system

socket.emit(
    "user:say",
    {user: 1, message: "Hi."}
);

socket.on(
    "user:say",
    function (data) { console.log(data.message); }
);

See it in action

The security problem

Websocket server security

No authentication
No authorization

Anyone can connect

var script = document.createElement("script");
script.src = "http://websocket.symfony2.local/socket.io/socket.io.js";
document.body.appendChild(script);

var socket = io.connect(
    "http://websocket.symfony2.local/",
    { port: 8000, transports: ["websocket"] }
);

The ticket pattern

Let Symfony handle the security
Give Node a single simple task

Sample implementation

Forge a Ticket when you need it

On a specific route
On client's demand
On each Request