In a situation where all communication (including logging in) between a client (web browser) and server is done over a persistent TLS encrypted websocket, would there be anything inadvisable about having the server attach the client’s log-in state to the connection itself as custom properties?
ie,
WSconnection.loggedIn = true;
WSconnection.timeout = Date.now() + 360000;
By doing this you’d actually be authenticating the connection not the user. However, the connection is a persistent TLS encrypted point to point connection.
1
That is how HornetQ’s websocket implementation works (Stomp doesn’t necessarily have to work over WebSockets but HornetQ exposes both naked TCP and WebSocket options).
StompConnection.java
Essentially the connection object is wrapped with the metadata of the HornetQ session ID and the login credentials and flagged “isValid”.
So yes, it’s certainly a practical and workable method.