8

I want to make a sessionhandling over websockets via node.js and socket.io without necessarily using cookies and avoiding express.js, because there should be also clients not running in a browser environment. Somebody did this already or got some experience with a proof of concept?

Felix Gertz
  • 175
  • 2
  • 8
  • The examples at http://socket.io/ don't use express, but I guess you know that already. What additional information do you need? – Yusuf X Aug 25 '12 at 17:40

2 Answers2

3

Before socket.io connection is established, there is a handshake mechanism, by default, all properly incoming requests successfully shake hands. However there is a method to get socket data during handshake and return true or false depending on your choice which accepts or denies the incoming connection request. Here is example from socket.io docs:

Because the handshakeData is stored after the authorization you can actually add or remove data from this object.

var io = require('socket.io').listen(80);

io.configure(function (){
  io.set('authorization', function (handshakeData, callback) {
    // findDatabyip is an async example function
    findDatabyIP(handshakeData.address.address, function (err, data) {
      if (err) return callback(err);

      if (data.authorized) {
        handshakeData.foo = 'bar';
        for(var prop in data) handshakeData[prop] = data[prop];
        callback(null, true);
      } else {
        callback(null, false);
      }
    }) 
  });
});

The first argument of callback function is error, you can provide a string here, which will automatically refuse the client if not set to null. Second argument is boolean, whether you want to accept the incoming request or not.

tozlu
  • 4,667
  • 3
  • 30
  • 44
1

This should be helpful, https://github.com/LearnBoost/socket.io/wiki/Authorizing

You could keep track of all session variables and uniquely identify users using a combination of the following available in handshakeData 

{
   headers: req.headers       // <Object> the headers of the request
 , time: (new Date) +''       // <String> date time of the connection
 , address: socket.address()  // <Object> remoteAddress and remotePort object
 , xdomain: !!headers.origin  // <Boolean> was it a cross domain request?
 , secure: socket.secure      // <Boolean> https connection
 , issued: +date              // <Number> EPOCH of when the handshake was created
 , url: request.url          // <String> the entrance path of the request
 , query: data.query          // <Object> the result of url.parse().query or a empty object
}

This example may help as well, just have your non-browser clients supply the information in a different way:

SocketIO + MySQL Authentication

Community
  • 1
  • 1
Hortinstein
  • 2,667
  • 1
  • 22
  • 22
  • Good point, if I can add a sessionid into req.headers on clientside and validate this at authorisation. Therefore I have to write a standalone sessionhandler decoupled from the req and res vars. Maybe I could use connect-session as codebase to be compatible with the sessionstores and other things. Do you know how I can add values to the header on client side? Once my websocket connection is authorized, is it as much safe as a single http-request validating his session all the time? – Felix Gertz Aug 27 '12 at 08:02