Security is a very important topic especially when dealing with web applications. Wisej is secure by design and supports all the latest security defenses. Below you will find the most common threats and a description of how they are handled.
One of the biggest difference between a traditional HTML-based ASP.NET/MVC/JSP/... application and a Single Page Application (SPA) is that the traditional HTML-based application concatenates HTML strings on the server and sends them back to the client together with scripts, and parses HTML requests from the browser, while an SPA (in our case a Real Time Web Application) doesn't build or parse HTML strings.
This is a common problem for all web applications that maintain a session. Binding a session to a user requires either a session cookie or a session id added to the URL.
If someone gets hold of a live session id, they can easily access a live session and breach an application (session hijacking). According to Microsoft, there is very little that can be done to prevent this type of attack when using ASP.NET/MVC. Especially when using the cookieless mode and the session id is added to the URL.
Wisej supports both cookies and cookieless modes, when cookieless is turned on, the session id is plainly visible in the URL. In order to prevent session hijacking, Wisej generates a client fingerprint hash using all the information received by the browser and validates each request. If the client fingerprint doesn't match, Wisej assumes that it's a new client and starts a new session.
The WebSocket connection adds an additional layer of protection since it is impossible to attach two live sockets to the same session. Wisej can also force the client browser to use
SSL (https: and wss: for WebSocket) by setting the
secure setting to true.
When using WebSocket, it is impossible to send a spoofed request to the same session. When using only HTTP, the computer of the attacker much be identical to the computer of the client that initiated the session, including the browser version, OS, and IP address!
We didn't include code to protect against denial of service attacks (DoS) because it would still be too late once it reaches the http handler. We can ameliorate a DoS event but it doesn't help much at that level since IIS has already used a thread. DoS attacks are better handled at the OS level before they reach the web server, whether it’s apache or IIS. There are also several HttpHandler samples around, but, again, at the handler level it may be too late to effectively stop a DoS attack.
Wisej can authenticate users using any authentication method available to a .NET application. Since nothing is shown to the user - no page, form, or control - or even created, unless your application has created it, your application can perform any kind of authentication before enabling the user to access its resources.
In addition to code authentication, Wisej supports the standard IIS authentication methods and makes the user credentials available to your code
With Wisej absolutely nothing from your application code makes it to the client (unless you put it there). Everything runs safely on the server and all the communications between the server and the client are either property updates or events.