I want to provide a websocket based Service to my registered users. The Website Frontend is running on Server A, the WebSocket-Service is running on Server B.
I want to make sure that Server B won't grant acces to an user that is not authenticated by Server A. Also I want to avoid that a session can be hijacked.
I came up with this approach but I never implemented security for websockets. Might this be a good approach?:
When a client wants to connect with my WebSocket, Server A requests a token from Server B. The Server B will generate this Token and send it back to Server A.
Server B will store the token in a cache.
Now the client is allowed to connect to the WebSocket. The clients first Message contains the token.
Server B checks whether the token can be found in the cache and whether the token is already used by an active Session.
If everything is fine the client will be registered and is allowed use the service.
Is this a good approach? Is there a better solution I wont have to implement by myself?
I read this solution: Best way to create a TOKEN system to authenticate web service calls?
But since my users will send up to 500 messages per minute (thats the highest possible value..but still possuble) I think this could cause some trouble...