-
-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
get cookie info with connection:info() and other enhancements #34
Comments
Hi, thanks for that. Unfortunately exposing cookies from sockjs server is not a good idea. This is due to the fact that sockjs uses an iframe trick, and in the result you will read cookies from your sockjs-server domain rather than the real origin. If you then, set cookies for the sockjs-server domain, you will be prone to CORF attack. It's best not to use http-layer cookies with sockjs. For authorization we usually propose following solution:
This comes up to the second question - no, there isn't a way to refuse sockjs connection before it is established. Once the connection is established, application callback is called and you can safely close the connection at will. Does it make sense? |
Hi Marek, Thanks for the quick response. My current implementation flow is as follows (it's on dev, nothing yet on prod, i m yet playing and evaluating)
Also since i m from xmpp/bosh background, i have my little implementation of XMPP XEP 0124/0206 sid/rid/hash-key and other stuffs as a wrapper on top of sockjs...I am using sockjs-client as a replacement for xmpp clients and sockjs-erlang as a replacement for my ebosh project of mine (connection manager). Idea is to have a bosh replacement, which doesn't bound it to xmpp specifics (i don't want raw xmpp packets to flow between browser and server) and i am able to run multiple tcp streams over same http bosh (sockjs) connection. e.g. xmpp, smtp, amqp, ... Regarding second question, my concerns were related to implementing an IP blacklist or say custom business level logics inside the first /info request handler. May be it will be a good idea to enable a callback from inside of /info request handler so that sockjs-erlang apps can take custom actions even on the /info call. For e.g. can i pass additional parameters along with In the send i think it boils down to exposing callback both on server and client side on the first /info request-response handlers. Let me know what you think of it? I already have a version of this running good on my dev. I will be happy to contribute that to the project if idea of callback seems like a good idea to you. Having said all this, i m still quite new to sockjs and i will admit i don't even know much about it's internal as of yet. Just did some doc readings and saw the raw sockjs protocol over the wire. I might be too abstract in my thinking above, having little knowledge about the whole sockjs paradigm. |
That's a neat idea. The problem - it's not websocket-api like. The goal is: sockjs should (at least in theory) be easily swappable with native websockets, and should expose API in similar spirit to it. Although some aspects of sockjs are not as close to websockets as I would imagine (say: cookies), we try to keep the api dumb. Seriously, please do consider sending a token/cookie over sockjs as a first packet, and then verifying it on the server side. If you wish to refuse connections per IP, please consider blocking users in iptables or on a load-balancer layer. |
Hi, I will indeed be having a security flow involved in some sense to validate my incoming sockjs channel request. So lets consider that been taken care of. I also evaluated stomp, but i found sockjs more suiting for me. Also it's well implemented, supported and have lots of available code base, ready to plugin. I think sockjs does it's job perfectly in exposing websockets api in a dumb fashion. As of now i will go ahead with what i have for getting this done inside /info request handler flow, which is by exposing a callback on both server and client side. I will recheck my implementations to make sure it is secure and cannot be hijacked or injected in any fashion. |
Hi Guys,
sockjs is a great piece of work. I am trying to integrate it with one of my application.
sockjs-erlang application runs on a different host/port than the usual web host/port.
As a result, i would like to have some kind of authorization/authentication flow before
a user can open a websocket stream. I think this is best solved by doing checks on cookie
data and validating them in the cache store.
To get cookie info, i have currently this patch working for me:
Other thing i found missing inside sockjs-erlang api is how can i shutdown/deny a connection attempt
from within my Conn init callback when i detect a invalid cookie data (ideally this should be
happening at /echo/info call level). One possible solution is to straightaway call Conn:close() ,
is that the best solution possible here?
The text was updated successfully, but these errors were encountered: