olme04
commented
2 years ago In my mind, better to use setupPayload for some session sharing, because it will be easier to switch to another transport, f.e. QUIC in future, which will not have headers and so on.
But I will think about an API to provide serverSession.
Ktor's intergration completely hides DefaultWebSocketServerSession (which provides access to Ktor's sessions) from a RequestHandler
Let's consider following case. An user logs into a ktor-based service. The service authorizes the user and sets http-only cookie with session-id (which refer to the authorized user). Now web client (js) sets up web-socket connection (web-client has no access to 'session cookie' as security best practice). The only way to verify web session currently - use a connection interceptor, that's okay.
The question is - how to pass result of validation from the interceptor to a request handler? Of course it's possible to create a token which is bound to the user's session for setting up web-connection and pass that token in setup frame - but it looks like undesired overhead since http already provides us with secure mechanism.
Without rsocket, it can be done in raw Ktor's web-socket solution quite easily.