User authentication in tornado websocket application

Question

Now, i improve my tornado skills and have a question about user auth.

And my solution is create secure token on first page and next send it with other data, from javascript to tornado server where do checking and auth user.

i think about cookie but i don't know how i can read cookies in WebSocketHandler.on_message

what you think ? and where i wrong ? Thanks

Answer 1

I suggest you read the overview section in the documentation.

There should be some relevant content there:

• Cookies and secure cookies
• User Authentication
• Third Party Authentication

EDIT

I just realized your question is about websockets. I believe you can use the approach you outline:

• Create a cookie in the non-websocket part of your app
• Check the cookie in the websocket handler

You should be able to access the request headers inside the websocket handler using self.request.headers.

Answer 2

A client can probably make the request headers with a fake user: 'user="ImFkbWxxxx==|xxxxxxxxxx|9d847f58a6897df8912f011f0a784xxxxxxxxxx"'

I think the following approach is better. If the user does not exist or if the cookie id is not correct or falsified, then the function get_secure_cookie will not return a user

class WebSocketHandler(tornado.websocket.WebSocketHandler):

    def open(self):
        user_id = self.get_secure_cookie("user")
        if not user_id: return None
        ...