Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to add HTTP headers to a Socket.io handshake?

Tags:

authentication

node.js

session

socket.io

I'm trying to secure the channel between my socket.io client and the node.js side. The main web application is in Drupal so I can't pass the cookies to node.js if node.js is on another host. I'd like to add some custom headers to he Socket.io HTTP handshake (like the PHP session). Do you know if it is possible? Using Socket.io 0.7

like image 369
Claudio Avatar asked Nov 04 '22 19:11

Claudio

1 Answers

P.S: I am just brainstorming here a little bit. I like this problem and am going to think a little bit more about this. I only thought about it yet from node.js same domain only...

Github issue

I don't know(don't think so) if it is possible to add headers. P.S: I think you should also try to fill issue at https://github.com/LearnBoost/socket.io/issues. The nice thing about github is that author will receive an email when somebody posts an issue. Also the people at learnboost are really nice people who like to help you out.

Proxy

Proxy all your request so that request come from same domain.

Refererer

The refererer is passed so you can pass information from this. This can also be spoofed so you better create something you can validate(only once) from Drupal. I guess this would be pretty easy to implement...

only allow message-flowing after verification.

What I know you can do is disconnect sockets via socket.disconnect(). Open connection and retrieve socket.io's id, but only accept messages after identity has been approved. I would make a route available via express which Drupal can curl post socket.io's id to to (keep route private). Because you are inside Drupal's domain you can access Drupal's session information.

// v0.7.x
var sid = socket.id;

To make this secure the only option is to use SSL(that is the only way you can make any communication link secure anyway). If you trust both domain's SSL is probably not really necessary. Then if socket.io's id is allowed you will allow message-flowing else I would just disconnect the connection.

PusherApp

Another option would be to implement/clone pusherapp authentication => http://pusher.com/docs/client_api_guide/client_channels#subscribe-private-channels

authentication

P.S: I will to try and upload an example later, but for now it is time for me sleep. Hopefully this made any sense :)...

like image 55
Alfred Avatar answered Nov 12 '22 17:11

Alfred
Sign in to Comment

Related questions

Laravel migrate error
What is koa:sess.sig?
iFrame - Hide url and session is not working
Sagemaker Studio UnkownServiceError for Session
How Do I Track and Eliminate Session Abuse?
What are the benefits of session-per-conversation?
session persistance across browser/server restart using google app-engine
Creating facebook events via cron-job
Prevent the same object from being associated to two different sessions in hibernate
Spring.net with NHibernate and the "No Hibernate Session bound to thread error"
What is the performance hit of enabling sessions on Google App Engine?
Session persistence problem
PHP: HTTP Basic - Log off
IIS7 ASP.NET in-proc session NOT being lost after app recycle
using session objects in django while testing?
Setting a cookie upon login in Spring Security 3.0
Is there a Java library for decoding php session data?
How does log off work in DNN 5.x?
Coldfusion sessions - how exactly is CF identifying a connection / unique client
Unable to use session in ASP.Net vNext Project

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!