@Pablo-J.-Rogina
Thanks for your reply. But in the article you mentioned said that we can authenticate socket via cookie, or pass authorization header when connecting, but in QWebsocketServer, we can only access "origin" in header, so we cannot authenticate socket before accepting connection.
Furthermore , I think that authenticating socket after accepting connection is not a good way. Because attackers can initiate a lot of zombie websockets to connect to server, although these "zombie" do anything but they will occupy lots of resources of server.