websocket-spec
  1. websocket-spec
  2. WEBSOCKET_SPEC-5

Define relationship between HttpSession and Web Socket Sessions.

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      We want these two things to be true:

      1)if the web socket is a protected resource in the web application, that is to say, required an authorized user to access it, and the user explicitly invalidates the HttpSession, the websocket implementation must close the web socket connection immediately

      2) if the user of the web application is actively using the web sockets within the web application, but does not access any of the web resources, the web socket implementation must keep the HttpSession from timing out (TBD This a request to the servlet specification).

      This is because authentication state is carried in the Http Session.

      But what about the unauthenticated case ? Does an explicit invalidate need to close the web sockets ? Does a timeout matter ?

        Activity

        Hide
        dannycoward added a comment -

        1) The only association between websocket session and HttpSession is at opening handshake time. The API gives developers a convenient access to the HttpSession object at that point in time.
        2) The user identity associated with the websocket Session is the user identity that was established at the opening handshake.
        2) If the server decides that authorization for this websocket resource by this user identity has ended (it expired, or some logout mechanism was invoked) then the websocket implementation must immediately close the connection.

        (from my read of the websocket spec, the most suitable close code for the latter is 1008).

        Show
        dannycoward added a comment - 1) The only association between websocket session and HttpSession is at opening handshake time. The API gives developers a convenient access to the HttpSession object at that point in time. 2) The user identity associated with the websocket Session is the user identity that was established at the opening handshake. 2) If the server decides that authorization for this websocket resource by this user identity has ended (it expired, or some logout mechanism was invoked) then the websocket implementation must immediately close the connection. (from my read of the websocket spec, the most suitable close code for the latter is 1008).
        Hide
        dannycoward added a comment -

        This has been updated in v010 of the spec, per my comment.

        Show
        dannycoward added a comment - This has been updated in v010 of the spec, per my comment.

          People

          • Assignee:
            dannycoward
            Reporter:
            dannycoward
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Due:
              Created:
              Updated:
              Resolved: