Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

User authentication in tornado websocket application

Now, i improve my tornado skills and have a question about user auth.

And my solution is create secure token on first page and next send it with other data, from javascript to tornado server where do checking and auth user.

i think about cookie but i don't know how i can read cookies in WebSocketHandler.on_message

what you think ? and where i wrong ? Thanks

like image 953
yessi Avatar asked Dec 07 '11 09:12

yessi


2 Answers

I suggest you read the overview section in the documentation.

There should be some relevant content there:

  • Cookies and secure cookies
  • User Authentication
  • Third Party Authentication

EDIT

I just realized your question is about websockets. I believe you can use the approach you outline:

  • Create a cookie in the non-websocket part of your app
  • Check the cookie in the websocket handler

You should be able to access the request headers inside the websocket handler using self.request.headers.

like image 194
codeape Avatar answered Nov 08 '22 12:11

codeape


A client can probably make the request headers with a fake user: 'user="ImFkbWxxxx==|xxxxxxxxxx|9d847f58a6897df8912f011f0a784xxxxxxxxxx"'

I think the following approach is better. If the user does not exist or if the cookie id is not correct or falsified, then the function get_secure_cookie will not return a user

class WebSocketHandler(tornado.websocket.WebSocketHandler):

    def open(self):
        user_id = self.get_secure_cookie("user")
        if not user_id: return None
        ...
like image 43
Guillaume Vincent Avatar answered Nov 08 '22 10:11

Guillaume Vincent