WebSockets
Also Known As
WebSocket
ws://
wss://
full-duplex HTTP
TL;DR
A persistent full-duplex TCP connection enabling real-time bidirectional messaging between browser and server without polling overhead.
Explanation
WebSockets upgrade an HTTP connection to a persistent bidirectional channel — either side can push messages any time with minimal framing overhead. Ideal for: live dashboards, chat, collaborative editing, real-time game state, and push notifications. Traditional PHP (synchronous, request-per-process) is poorly suited to maintaining thousands of long-lived connections. Use a dedicated WebSocket server: Ratchet (PHP/ReactPHP), Swoole, or RoadRunner for PHP-native solutions. A common practical pattern: a lightweight Node.js or Go WebSocket server handles connections and publishes events via Redis Pub/Sub, while PHP handles business logic through standard HTTP endpoints.
Common Misconception
✗ WebSockets replace HTTP for all real-time features. WebSockets maintain persistent connections — costly at scale and unnecessary for one-way server-push. Server-Sent Events (SSE) are simpler and sufficient for unidirectional streaming, and work over standard HTTP/2.
Why It Matters
WebSockets provide full-duplex persistent connections — eliminating the overhead of HTTP request/response for real-time applications like chat, live dashboards, and multiplayer games.
Common Mistakes
- Not authenticating the WebSocket upgrade request — anyone can connect without credentials.
- Storing WebSocket connection state in memory on one server — horizontal scaling requires a shared state layer (Redis pub/sub).
- Not handling connection drops and reconnection logic on the client — connections drop; clients must reconnect.
- Broadcasting large payloads to all connections — use targeted pub/sub, not broadcast to all.
Code Examples
✗ Vulnerable
// WebSocket server with no authentication:
$server->on('open', function(Connection $conn): void {
// No auth check — any client can connect and receive all messages
$this->clients->attach($conn);
});
// Should verify a token in the upgrade request headers or first message
✓ Fixed
// PHP WebSocket server with Ratchet
use Ratchet\MessageComponentInterface;
use Ratchet\ConnectionInterface;
class ChatServer implements MessageComponentInterface {
private \SplObjectStorage \$clients;
public function __construct() { \$this->clients = new \SplObjectStorage(); }
public function onOpen(ConnectionInterface \$conn): void {
\$this->clients->attach(\$conn);
}
public function onMessage(ConnectionInterface \$from, \$msg): void {
foreach (\$this->clients as \$client) {
if (\$client !== \$from) \$client->send(\$msg); // broadcast
}
}
public function onClose(ConnectionInterface \$conn): void {
\$this->clients->detach(\$conn);
}
public function onError(ConnectionInterface \$conn, \Exception \$e): void {
\$conn->close();
}
}
// Start server: php bin/chat-server.php
// Client JS: const ws = new WebSocket('ws://yourapp.com:8080');Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
31
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Perplexity 7
Amazonbot 6
ChatGPT 3
Unknown AI 3
Google 2
Ahrefs 2
SEMrush 2
Also referenced
How they use it
crawler 23
pre-tracking 2
Related categories
⚡
DEV INTEL
Tools & Severity
🔵 Info
⚙ Fix effort: High
⚡ Quick Fix
Use Ratchet or ReactPHP for WebSocket servers in PHP — implement heartbeat pings every 30s and graceful connection handling to prevent zombie connections
📦 Applies To
PHP 7.0+
web
🔗 Prerequisites
🔍 Detection Hints
Real-time bidirectional feature implemented with polling when WebSocket would be more efficient
Auto-detectable:
✗ No
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: Medium
Context: File
Tests: Update
CWE-352
CWE-345