WebSockets - The Right Approach to Create Channels and Transfer Data
I have a scenario where I want to inform the users of my site that someone has commented on an article in which they have also commented. This is very similar to the way SO notifies me when someone answers a question!
On the server side, I save the comment and then go through all users who have commented on the same article. Then I broadcast (I am using Atmosphere):
PushContext pushContext = PushContextFactory.getDefault().getPushContext();
for(User u : users){
// channel name, message
pushContext.push("/user_" + u.id, "someone commented! blah blah");
}
The "channel" I am passing is the user's "own" channel, as I don't want every user to be notified. For this, I use the user id in the channel name.
Is this the right thing to do to notify only the relevant users?
I think I also want to do two more things:
- Click only those users that I believe are still online. If they are not online, then it is a waste of resources by clicking on them.
- Please encrypt the message, because otherwise someone could listen to my messages if they know my user ID.
Is there anything else I should be thinking about?
source to share
SO uses WebSockets, for example when a comment is added to this post, you get a notification in the status bar at the top left of the SO page.
When the page is loaded, the browser makes a protocol update request that looks like this:
Request URL:ws://sockets-se.or.stackexchange.com/
Request Method:GET
Status Code:101 Switching Protocols
Request Headersview source
Connection:Upgrade
Cookie:__qca=P0-1697817643-1763440830313; __utma=27376923.959753990.1338240830.1353943751.1384115154.33; __utmc=27693525; __utmz=27699983.1356175156.31.31.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)
Host:sockets-se.or.stackexchange.com
Origin:http://stackoverflow.com
Sec-WebSocket-Extensions:x-webkit-deflate-frame
Sec-WebSocket-Key:6qFl45+6gZ526yMMo79zWQ==
Sec-WebSocket-Version:13
Upgrade:websocket
(Key3):00:00:00:00:00:00:00:00
Response Headersview source
Connection:Upgrade
Sec-WebSocket-Accept:B4h2G+gi78iNZZXg+o6iAztgF1I=
Upgrade:websocket
(Challenge Response):00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
The socket is then opened and the server can send updates to the browser. For example, my comment notification is received by the browser as:
{"action":"1-question-12993099","data":"{\"a\":\"comment-add\",\"id\":12993099,\"commentid\":19334206,\"acctid\":1298157}"}
It contains no actual comment; it seems like it's just being used to tell the browser to show a red icon. When you then click, it makes a request for the page, including the comment. The question ID (12993099), comment ID (19334206) and account ID (1298157) are contained in this frame.
I don't see anything in the above that would prevent a hacker from creating a websocket to listen to your notifications. The cookies look at me like Google Analytics cookies, or at least the second and third. Perhaps the first one is some code that you wouldn't know if I hadn't only posted it (don't worry, I'm changing it!).
In your Atmosphere example, I know that when websockets are down, long polling is used by default, which then requests a URL with the channel name in it. Thus, you can force the client to generate a channel name that only it will know and associate with the registered user. But anyone sniffing the web will have access to your traffic again, so you'll have to secure it with secure web sockets (WSS) and HTTPS (for long polling).
source to share