Get cookie from SockJS-tornado

[Truong Tho Nguyen]

How can I get cookie through sockjs-tornado, I need a built-in function like get_secure_cookie from tornado.web.RequestHandler, not something like self.request.headers

Thx

[Serge S. Koval]

SockJS does not support cookies. Check here: https://github.com/sockjs/sockjs-node/pull/29#issuecomment-2733120

You need to do authentication yourself by sending special message to the server.

On Sun, Apr 21, 2013 at 2:34 PM, Truong Tho Nguyen <nguyentru...@gmail.com> wrote:

How can I get cookie through sockjs-tornado, I need a built-in function like get_secure_cookie from tornado.web.RequestHandler, not something like self.request.headers

Thx

--
You received this message because you are subscribed to the Google Groups "sockjs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sockjs+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Alexander Karelas]

If SockJS supported cookies, then we would be able to turn on the "httpOnly" flag of the cookies, so that cross-site scripting attacks couldn't occur. Are you thinking of supporting cookies in the future?

[Truong Tho Nguyen]

I actually can get the cookie from sockjs by using info.get_cookie('cookie_name') inside function on_open(self, info), so what do you mean by sockjs-tornado does not support cookie?

btw, it may be a dump question, but is it a way without cookie to handle 3rd party login like facebook login, normally with tornado.web, I would use user_json = tornado.escape.json_decode(self.get_secure_cookie('c_name')) to get user information from facebook, right?

Thanks for your answer.

[Serge S. Koval]

Yes, you can access cookies in sockjs-tornado by going through Tornado machniery, but it is not officially supported by SockJS protocol due to reasons described in post above.

Here's related note from the sockjs-node server implementation - https://github.com/sockjs/sockjs-node#authorisation

If you want to be safe, don't use cookies for authentication.

[Serge S. Koval]

This won't be secure - SockJS supports iframe transport (forever iframe trick) and frame is hosted by the SockJS server, on the same domain.

Here's snippet from sockjs-node readme:

Cookies are a contract between a browser and an http server, and are identified by a domain name. If a browser has a cookie set for particular domain, it will pass it as a part of all http requests to the host. But to get various transports working, SockJS uses a middleman - an iframe hosted from target SockJS domain. That means the server will receive requests from the iframe, and not from the real domain. The domain of an iframe is the same as the SockJS domain. The problem is that any website can embed the iframe and communicate with it - and request establishing SockJS connection. Using cookies for authorisation in this scenario will result in granting full access to SockJS communication with your website from any website. This is a classic CSRF attack.

Basically - cookies are not suited for SockJS model. If you want to authorise a session - provide a unique token on a page, send it as a first thing over SockJS connection and validate it on the server side. In essence, this is how cookies work.