Accessing secure websocket server through http/https - trace of session

Dec 20, 2012 at 5:25 AM

Hi Kerry,

I noticed that when you access your secure websocket using https://echo.websocket.org instead of wss://echo.websocket.org, it leaves trail of socket session.

I'm using version 1.5 beta 5.

Preferably I think the server should clean up the socket session and returns 400 Bad Request like the implementation of https://echo.websocket.org.

Can you shed some light to this issues?

Thanks.

Coordinator
Jan 15, 2013 at 9:05 AM

I think SuperWebSocket has implemented it.

Sep 18, 2014 at 1:24 AM
Edited Sep 18, 2014 at 1:25 AM
Hi Kerry,

When you access a websocket server from http / https, it leaves the connection open instead of closing the connection as soon as no handshake is received.

I have made changes to rectify this issue:

On SuperWebSocket\Protocol\HandshakeRequest.cs

Add an handshake state: true or false indicate a valid handshake has been received / not.
    /// <summary>
    /// Handshake request
    /// </summary>
    class HandshakeRequest : IWebSocketFragment
    {
        /// <summary>
        /// State of the handshake
        /// </summary>
        public bool Handshaked { get; set; }

        /// <summary>
        /// Gets the key of this request.
        /// </summary>
        public string Key
        {
            get { return OpCode.HandshakeTag; }
        }

        public HandshakeRequest()
            : this(true)
        {
        }

        public HandshakeRequest(bool state)
        {
            this.Handshaked = state;
        }
    }
On SuperWebSocket\Command\Handshake.cs
        public override void ExecuteCommand(TWebSocketSession session, IWebSocketFragment requestInfo)
        {
            HandshakeRequest handshake = requestInfo as HandshakeRequest;

            if (handshake.Handshaked)
                session.OnHandshakeSuccess();
            else
                session.Close(SuperSocket.SocketBase.CloseReason.ServerClosing);
        }
On SuperWebSocket\Protocol\WebSocketHeaderReceiveFilter.cs
        public override IWebSocketFragment Filter(byte[] readBuffer, int offset, int length, bool isReusableBuffer, out int rest)
        {
              // existing code

            return new HandshakeRequest(false);
        }         

Change final return from null to new HandshakeRequest(false);
To replicate the issue, create an simple WebSocketServer, open a connection using your browser https://localhost:port/ws, you would noticed the connection is open not closed straight away and returns with 400 Bad Request. It is also evident if you check your Connected Session list, it's still there.
Marked as answer by technogear on 9/17/2014 at 6:25 PM