Cookies. - Githubissues

egobrain commented 12 years ago

Need help. Is there way to get cookies from request. I'm using cowboy and want to authorize user before connect him. Is there any way to solve my problem ?

majek commented 12 years ago

@Egobrain Due to the nature of SockJS (especially the iframe-based transports), Cookie and Origin headers may be very misleading. Using them for authorization will inevitably lead to security issues. Further reading:

Please consider sending a unique authorization token over SockJS.

Why do you need to authorize before the connection is established?

egobrain commented 12 years ago

I'm developing app where only authorized users can access server. I don want to handle unauthorized connection.

Marek Majkowski
reply@reply.github.com
:

@Egobrain Due to the nature of SockJS (especially the iframe-based
transports), Cookie and Origin header may be very misleading. Using them
for authorization will inevitably lead to security issues. Further
reading:

https://github.com/sockjs/sockjs-node/commit/1241bde38fafc21afcc6d0f2c310aa5348aaf1a0

https://github.com/sockjs/sockjs-node/pull/49

https://github.com/sockjs/sockjs-node/issues/50

https://github.com/sockjs/sockjs-node/pull/29

https://en.wikipedia.org/wiki/Cross-site_request_forgery

Please consider sending a unique authorization token over SockJS.

Why do you need to authorize before the connection is established?

Reply to this email directly or view it on GitHub:

https://github.com/sockjs/sockjs-erlang/issues/16#issuecomment-4714509

majek commented 12 years ago

Okay, that's what I do:

await for connection from anyone
on the server side receive authorisation token as first thing on the connection
if token is invalid or if it doesn't appear in let's say 5 seconds, abruptly close the connection

Will that work for you?

egobrain commented 12 years ago

Yes. I can do so... Thank you.

sockjs / sockjs-erlang

Cookies. #16