how to authenticate user

[Dennis Dowhy]

If I have an HTTP/HTTPS client that is already SAML authenticated, what is the recommended practice for authenticating a subsequent WS/WSS sockjs connection from that same user?  

My understanding is that websocket doesn't provide authentication so you have to use another mechanism... perhaps reusing sessionIDs or cookies?  Are there examples of this somewhere?

<--sockjs/websocket noob

[Chris-S]

sockjs creates a random ID on socket connection, (example = connection.id), this ID is safe to use for the duration of the socket.

sockjs knows when this socket has been connected and disconnected (example socket.onclose(your function here) ) , run your logic from these events.

This has nothing to do with an HTTP session... the socket session only lasts as long as the socket connection to the server, and is cut when the page reloads, or the browser window/tab is closed, or in some cases when the internet connection is dodgy.

It's up to you to send Auth info to your server, for example for verification against a DB. 

e.g. socket.send({command:"auth",name:name,pass:pass});

Personally I use the ID for a looped reconnection attempt on an unexpected socket.onclose(), resending the old ID as data to the server - the server matches it from a list to revalidate, if correct updates the list to the new ID.

e.g. socket.send({command:"re-connect",old_id:old_id});