0

I have an application up and running. Users requested that after they log in they would stay logged when they come back later.

I know that I need somehow store session data on client side, cookies for example. I tried this https://stackoverflow.com/a/25618636/2440515 but it doesn't work. Neither this https://www.npmjs.com/package/socket.io-handshake

I have both Express and Socket.io in the latests versions.

My application authenticates using Socket.io, so I will need a way to update cookies from Socket.io callback. I spent last 4h searching and trying different solutions. Can someone give me a hint?

Thank you!

Community
  • 1
  • 1
youbetternot
  • 1,786
  • 2
  • 13
  • 18
  • Can you be a little more detailed about the architecture of your application? What are the roles of Express and Socket.io? Anyway, have you thought of doing it with JWT? You could save the token in the browser using HTML Web Storage, append it to subsequent Express requests and then verify it with a middleware. – Thiago Duarte Feb 28 '15 at 03:43
  • OK I ended up writing encrypted cookie client side, then decoding and reading session data server side. – youbetternot Mar 02 '15 at 10:33
  • glad you solved it. you should check this out anyway, as jwt is becoming the norm for node.js authentication: http://www.sitepoint.com/using-json-web-tokens-node-js/ – Thiago Duarte Mar 03 '15 at 03:07
  • This link can be help you http://stackoverflow.com/questions/15169418/how-can-i-get-sessions-to-work-using-redis-express-socket-io – Hardik Barot Mar 04 '15 at 06:53

1 Answers1

0

You can use coockie module for resolve the cookies passed:

$ npm install cookie

On code:

//...
var cookie = require('cookie');
//...
io.use(function (socket, next) {
   var cookies = cookie.parse(socket.request.headers.cookie);

   var my_secret = cookies.my_secret || null;

   if (!my_secret) {
       return next(new Error('No cookie set'));
   }

   validateMySecretAsync(my_secret, next);

});
// ....
Exos
  • 3,610
  • 1
  • 19
  • 28
  • Hey, I saw your answer and I think its similar to this: http://stackoverflow.com/a/25921668/2440515 . Please have a look its very simple. I have tried it before and had all the code already. I still have no idea how to save data to the cookie. I can attach data to socket.handshake.session but it will not persist. – youbetternot Feb 28 '15 at 14:34
  • Do you creates the cookie with express? – Exos Mar 01 '15 at 05:26
  • OK I ended up writing encrypted cookie client side, then decoding and reading session data server side. – youbetternot Mar 02 '15 at 10:33
  • You don't need to use a encrypted cookie, you have to send a token like string. I recomend you don't make the security on app level, instead do use a high procotol as SSL. You can generate the token with a salt based hash, like "sha1( user_id + salt)" and validate with these. – Exos Mar 03 '15 at 02:23
  • I did, I sent encrypted (JWT) session token as string and saved it as cookie. I will look into HTTPS and SSL soon. My app is behind HAProxy and Phusion Passenger (Apache version). – youbetternot Mar 04 '15 at 16:42
  • So, What is your currently problem? If you can to read the cookie, the "validateMySecretAsync" method can does check it with JWT. – Exos Mar 04 '15 at 22:40
  • there is none, my friend :) I said that "I ended up writing encrypted cookie client side, then decoding and reading session data server side." – youbetternot Mar 04 '15 at 22:56