Cookies.
egobrain opened this issue · 4 comments
Need help.
Is there way to get cookies from request.
I'm using cowboy and want to authorize user before connect him.
Is there any way to solve my problem ?
@egobrain Due to the nature of SockJS (especially the iframe-based transports), Cookie and Origin headers may be very misleading. Using them for authorization will inevitably lead to security issues. Further reading:
- sockjs/sockjs-node@1241bde
- sockjs/sockjs-node#49
- sockjs/sockjs-node#50
- sockjs/sockjs-node#29
- https://en.wikipedia.org/wiki/Cross-site_request_forgery
Please consider sending a unique authorization token over SockJS.
Why do you need to authorize before the connection is established?
I'm developing app where only authorized users can access server.
I don want to handle unauthorized connection.
Marek Majkowski
reply@reply.github.com
:
@egobrain Due to the nature of SockJS (especially the iframe-based
transports), Cookie and Origin header may be very misleading. Using them
for authorization will inevitably lead to security issues. Further
reading:
- sockjs/sockjs-node@1241bde
- sockjs/sockjs-node#49
- sockjs/sockjs-node#50
- sockjs/sockjs-node#29
- https://en.wikipedia.org/wiki/Cross-site_request_forgery
Please consider sending a unique authorization token over SockJS.
Why do you need to authorize before the connection is established?
Reply to this email directly or view it on GitHub:
Okay, that's what I do:
- await for connection from anyone
- on the server side receive authorisation token as first thing on the connection
- if token is invalid or if it doesn't appear in let's say 5 seconds, abruptly close the connection
Will that work for you?
Yes. I can do so... Thank you.