Re: [tornado] sockjs-tornado authorization

[Serge S. Koval]

Hi,

 All you need is to extend your protocol to accept authentication token from the client as a first message, validate it and either allow user to continue or disconnect him with an error message.

 So, following will work:

1. Encrypt value that identifies a user using symmetrical algorithm (AES, etc). Add some proofing to the token before encrypting it: random value, time stamp to prevent replay attack, etc.

2. Expose encrypted token to the client

3. Whenever client connects to the server, send this token as a first message

4. On server-side (sockjs-tornado) decrypt and verify token

5. If everything is fine, store user information in your connection class and continue working.

 Hope it helps.

Serge.

On Sat, Jun 23, 2012 at 2:34 PM, Rinu Boney <rinu....@gmail.com> wrote:

i use sockjs-tornado

within a sockjs tornado handler how can i determine the current_user ?

i have user session "token" stored in a secure cookie.

i cannot access the secure cookie value from the sockjs handler

rabbitmq and mongodb are part of my stack ( will they help in the process ? )

i have devised a way:

1. generate a unique id

2. store unique id in a normal cookie

3. create a rabbitmq queue with unique id as the routing key and push messages into it regarding the user

4. the sockjs handler can get the unique id in the cookie and consume user data and delete the queue

5. thus user data is obtained, further data about the user can be obtained by a pymongo query

is this a good secure way of doing it ?

is there a more efficient way ?

[Алексей Силк]

Hi

Have you made all your code?

I'm doing the same now ... It will be apprisiated for help ...

суббота, 23 июня 2012 г., 15:34:15 UTC+4 пользователь Rinu Boney написал: