Websocket based app, Security and Real-time good practice?

I'm using websocket for real-time communication for my mobile app project. I implemented basic security logic: To connect to the server, the client must have a key,

-when the client connects to the server it sends immediately a JSON object containing authentication information

{
    action:"auth",
    device_id: "string",
    auth_key: "string",
    user: "string"
}

-The server replies with a session id if the key is correct, or drops the connection - From that, every data sent by the client, will be JSON object having that session id, so that the server, can recognize it, all unknown clients are dropped.

Now the big problem is that, WebSocket protocol doesn't understant JSON, so i have to use JSON.stringify() and JSON.parse() to send my data through, also i have to check if the session id is valid this takes time and the application is not smooth anymore(before it was).

For example, if it records mouse pointer moves, such data will be sent to the server as the mouse is moving, so it sends data several times in short period , and because the logic i've implemented, it's not smooth at all

{
    session_id: "string",
    user: "string"
    action:"mousemove",
    position:  {
        x: int, 
        y: int 
    }
}

My concerns are:

-Secure the server, so that no one can access it and send commands, without authorization.

-Keep it REALLY real-time

-Have a good data format (as JSON if possible)

Answers


To really make your communication secure, you need to use TLS connection. Stuff you are doing with users authentication looks ok.

But it's strange that authentication time is a problem for you, probably you need to implement session cache, to make session id validation quicker.

JSON isn't best format for network data transferring from size perspective, but WebSocket specification doesn't specify formats, it's up to you what to use, and JSON is also ok, unless you are really concerned about traffic savings.

To make your communication smooth, you can aggregate data on client side, and send this data once per second for example. I believe you don't need so much mouse coordinates actually.


Need Your Help

How to get list of Azure VMs (non-classic/Resource Managed) using Java API

java azure azure-virtual-machine azure-resource-manager azure-java-sdk

How to get list of VMs (non-classic) using Java API, which are created using resource Manager? Why we need tenant id, client id and client key to create 'com.microsoft.azure.management.compute.