|
|
|
|
|
|
by skissane
838 days ago
|
|
|
> the only option is to encode the Auth information in the URL (since browsers don't allow custom headers in the initial HTTP request for negotiating a web socket). Put a timestamp in the token and sign it with a private key, so that the token expires after a defined time period. If the URL is only valid for the next five minutes, the odds that the URL will leak and be exploited in that five minute window is very low |
|
|