search

voryx / Thruway

PHP Client and Router Library for Autobahn and WAMP (Web Application Messaging Protocol) for Real-Time Application Messaging
MIT License
674 stars 117 forks source link

Authentication using existing sessionid cookie #283

Closed senshi-x closed 6 years ago

senshi-x commented 6 years ago

I need to add authentication to my websocket to assign roles as well as possible restricting allowed RPC calls on the server client.

The user logins via a REST route, starting a php session, which in turn sets a PHPSESSID cookie. I would like to have this as httponly, so no direct javascript access is possible.

The idea is to start the websocket session after this authorization has been completed, using the already existing PHP sessionid.

My clients use angularwamp.

Where I'm stuck right now: How can the thruway router access that cookie? I can't send it from Javascript as an onchallenge response or anything, as it's httponly. However, as I understand it, websocket uses a http upgrade to initialize, so there should be a window to use cookies for authentication? I want the authmanager to do a simple check if this user's session exists and go from there, which would be trivial.

The examples here are based on having access to the "secret" or CRA response available in javascript.

I'm fairly confused right now after a lot of googling and I'm afraid it's perfectly possible I might have misunderstood some concepts along the way.

mbonneau commented 6 years ago

All of the HTTP headers are available to authenticators. Transport details are in $helloMessage->getDetails()->transport->headers.

I am not sure how to access the php session using the PHPSESSID however.

senshi-x commented 6 years ago

I was both afraid and hoping it was gonna be a lot easier than I was making it out to be. Accessing the PHP session: I'll do that using a custom session handler to allow specific access just to the authenticator.

Thanks for your quick reply!

senshi-x commented 6 years ago

I was stupid :) . Cookies are only accessible if their domain really matches the URL used for connecting. I was using the hostname for establishing the WS session, and the cookies were set for localhost.

I still find it odd that cookies are set as an array, but if multiple cookies are present, they'll just be appended to the array's first element, separated by a semicolon. So the cookies array will never have more than one element...

mbonneau commented 6 years ago

@WGPSenshi The format of the headers has to do with PSR-7 header formats. If there are repeats of the same header, you can get more than one.

Consider nginx if you would like to host both your request/response PHP application and your Thruway router through the same host/port combination.