WebSocket Protocol
Also Known As
WebSockets
ws://
wss://
full-duplex
TL;DR
A full-duplex communication protocol over a single TCP connection — the client and server can both send messages at any time without polling.
Explanation
WebSockets begin as an HTTP request with Upgrade: websocket header. After the server acknowledges, the connection upgrades to a persistent bidirectional TCP channel. Frames carry data in either direction — text or binary. Unlike HTTP request-response, the server can push data to the client at any time. The ws:// scheme is unencrypted; wss:// uses TLS. PHP WebSocket servers require a persistent process (Ratchet, Swoole, ReactPHP) since PHP-FPM terminates after each request.
Diagram
sequenceDiagram
participant C as Browser
participant S as Server
C->>S: HTTP GET /chat<br/>Upgrade: websocket
S-->>C: 101 Switching Protocols
Note over C,S: TCP connection kept open
C->>S: Frame: hello server
S-->>C: Frame: hello client
S-->>C: Frame: push notification
C->>S: Frame: ping
S-->>C: Frame: pong
C->>S: Frame: close
S-->>C: Frame: close
Note over C,S: Full duplex - both sides push any time
Common Misconception
✗ PHP cannot do WebSockets — standard PHP-FPM cannot, but Swoole, Ratchet (ReactPHP), and OpenSwoole all support WebSocket servers in PHP.
Why It Matters
Real-time features (live chat, collaborative editing, live dashboards) require the server to push updates — WebSockets enable this without client polling overhead.
Common Mistakes
- Using WebSockets for request-response patterns — HTTP is more appropriate; WebSockets suit continuous bidirectional streams.
- No heartbeat/ping — idle WebSocket connections are silently dropped by load balancers; send periodic pings.
- No authentication on the WebSocket connection — validate a token during the upgrade handshake before accepting the connection.
- Not handling reconnection — connections drop; clients must implement exponential backoff reconnection logic.
Code Examples
✗ Vulnerable
// No authentication on WebSocket upgrade:
$server->on('open', function(ConnectionInterface $conn) {
$this->clients->attach($conn);
// Anyone who connects receives all messages — no auth check
});
✓ Fixed
// Authenticate during upgrade:
$server->on('open', function(ConnectionInterface $conn) {
$request = $conn->httpRequest;
$token = $request->getQueryParams()['token'] ?? '';
if (!$this->auth->validateToken($token)) {
$conn->close();
return;
}
$userId = $this->auth->getUserId($token);
$this->clients[$userId] = $conn;
});Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
35
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 17
Perplexity 4
Ahrefs 3
ChatGPT 2
SEMrush 2
Unknown AI 1
Google 1
Also referenced
How they use it
crawler 28
pre-tracking 2
Related categories
⚡
DEV INTEL
Tools & Severity
🟡 Medium
⚙ Fix effort: High
⚡ Quick Fix
For PHP, use Laravel Reverb (native) or Soketi (self-hosted Pusher-compatible) rather than implementing WebSocket from scratch — they handle the protocol complexity and integrate with Laravel events
📦 Applies To
PHP 7.0+
web
api
laravel
🔗 Prerequisites
🔍 Detection Hints
Long polling every 1 second where WebSocket would be more efficient; real-time bidirectional feature implemented with HTTP requests
Auto-detectable:
✗ No
reverb
soketi
ratchet
pusher
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: Medium
Context: File
Tests: Update