PHP Sessions and Strophe XMPP authentication
1,391 views
Skip to first unread message
Siddhartha
Mar 30, 2011, 6:26:37 AM3/30/11
to Strophe
Hi,
I am creating a web site on which I need a notification/chat system
(only the notification system is really important).
Each user authenticates itself before accessing to the web site, and
has a specific XMPP account.
The XMPP account is created when the user creates his account on the
web site, and he doesn't even know he has one.
At first, the web site was using one single page and filing content
with AJAX.
I installed Ejaberd and Strophe, and all was working fine.
The web site is now changing a bit and users will navigate between
pages.
As the BOSH authent is quite long, I tried to use the attach()
function of Strophe with a PHP script (similar to the one I saw on
this group) that takes care of all the XMPP-BOSH login part (this
works fine).
The second step is to allow users to change page, reload, switch
between tabs, etc..., using the same BOSH
session (jid, rid, sid).
The problem is I have to maintain a correct rid between all the
Strophe of all pages : I made a few tests using this technique :
Every time the pages looses focus or click is made on a link, the page
updates rid in the phpsession using a specific php script, and pause()
Strophe. On page load/focus, the rid is downloaded with the same
script and attach() or resume().
It works... most of the time, which is not enough.
I have some ideas I wanted to share to have feedbacks (and other
solutions I didn't think of) :
--
1) Every page opens a new session (using a php script to create
session).
This takes around 300-500ms and can be made after displaying the page.
My problem is I don't know how the Ejabberd server will react with so
much authentications. The website will have between 300-700
simultaneous users so this could mean around 50 authent per second
with this technique.
2) Using the http-prebind patch for Ejabberd
I saw two of them : one is using anonymous auth (can't use it), the
other is using http basic auth.
I could pass basic auth with js, but I would have the same problem
than in 1) about the ejabberd load.
The other problem is I don't know erlang and the project (https://
github.com/skeltoac/http_prebind) doesn't seem active.
3) Try to find another technique to store rid (I saw someone using the
local storage, maybe cookies)
and patch Strophe to get rid before every call.
LocalStorage is not supported by all browser thow.
4) Create a XMPP "proxy" which will :
Take care af the authent process (using php session parameters set up
dring web login process), and maintain a session active (with specific
timeout).
Modify rid on the fly from the web client to the ejabberd
This solves all my problems but such a thing doesn't exists so it will
take some time to write (but less than coding a new Ejabberd+Strophe).
(I know the best way would be to write this in Erlang and attach it to
Ejabberd but it would take to much time for me to learn Erlang enough
to do something like this).
--
Have any of you tried one of these techniques ? Do you have other
ideas ?
Thanks in advance,
Patrick
I am creating a web site on which I need a notification/chat system
(only the notification system is really important).
Each user authenticates itself before accessing to the web site, and
has a specific XMPP account.
The XMPP account is created when the user creates his account on the
web site, and he doesn't even know he has one.
At first, the web site was using one single page and filing content
with AJAX.
I installed Ejaberd and Strophe, and all was working fine.
The web site is now changing a bit and users will navigate between
pages.
As the BOSH authent is quite long, I tried to use the attach()
function of Strophe with a PHP script (similar to the one I saw on
this group) that takes care of all the XMPP-BOSH login part (this
works fine).
The second step is to allow users to change page, reload, switch
between tabs, etc..., using the same BOSH
session (jid, rid, sid).
The problem is I have to maintain a correct rid between all the
Strophe of all pages : I made a few tests using this technique :
Every time the pages looses focus or click is made on a link, the page
updates rid in the phpsession using a specific php script, and pause()
Strophe. On page load/focus, the rid is downloaded with the same
script and attach() or resume().
It works... most of the time, which is not enough.
I have some ideas I wanted to share to have feedbacks (and other
solutions I didn't think of) :
--
1) Every page opens a new session (using a php script to create
session).
This takes around 300-500ms and can be made after displaying the page.
My problem is I don't know how the Ejabberd server will react with so
much authentications. The website will have between 300-700
simultaneous users so this could mean around 50 authent per second
with this technique.
2) Using the http-prebind patch for Ejabberd
I saw two of them : one is using anonymous auth (can't use it), the
other is using http basic auth.
I could pass basic auth with js, but I would have the same problem
than in 1) about the ejabberd load.
The other problem is I don't know erlang and the project (https://
github.com/skeltoac/http_prebind) doesn't seem active.
3) Try to find another technique to store rid (I saw someone using the
local storage, maybe cookies)
and patch Strophe to get rid before every call.
LocalStorage is not supported by all browser thow.
4) Create a XMPP "proxy" which will :
Take care af the authent process (using php session parameters set up
dring web login process), and maintain a session active (with specific
timeout).
Modify rid on the fly from the web client to the ejabberd
This solves all my problems but such a thing doesn't exists so it will
take some time to write (but less than coding a new Ejabberd+Strophe).
(I know the best way would be to write this in Erlang and attach it to
Ejabberd but it would take to much time for me to learn Erlang enough
to do something like this).
--
Have any of you tried one of these techniques ? Do you have other
ideas ?
Thanks in advance,
Patrick
Karan Ahuja
Mar 30, 2011, 2:25:46 PM3/30/11
to str...@googlegroups.com, Siddhartha
hi
we had solved the same problem by installing punjab and using it to connect to the server
i will ask our CTO to discuss this on the thready tomorrow
as this same question came up 2 - 3 times now
meanwhile you can play around with punjab connection manager
Thanks and regards
Karan Ahuja
we had solved the same problem by installing punjab and using it to connect to the server
i will ask our CTO to discuss this on the thready tomorrow
as this same question came up 2 - 3 times now
meanwhile you can play around with punjab connection manager
Thanks and regards
Karan Ahuja
Lets Connect 
Contact me:
karan26.ahuja 
karan.ahuja2 
karan_ahuja2005
Contact me:
karan26.ahuja karan.ahuja2 karan_ahuja2005
--
You received this message because you are subscribed to the Google Groups "Strophe" group.
To post to this group, send email to str...@googlegroups.com.
To unsubscribe from this group, send email to strophe+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/strophe?hl=en.
Siddhartha
Mar 30, 2011, 5:59:08 PM3/30/11
to Strophe
Hi,
Thanks for the answer.
I didn't mention Punjab because I thought it was a BOSH frontend for
jabber servers who hasn't any (or to speak to multiple server which is
not my case).
But it didn't appear to me that it will speed up the BOSH connexion.
To be honest I didn't find much doc on Punjab as the only official
page is on github, and didn't find much on the web except what I
mentioned above.
I also had a look at this : http://dev.esl.eu/blog/2009/05/05/benchmarking-bosh-services/
(it's two years old), so I didn't go any further.
I just installed it and it seems to work fine as a BOSH connector, but
it still needs all the BOSH authentication.
Am I missing something ? Is there a link to punjab doc ?
Regards,
Patrick
Thanks for the answer.
I didn't mention Punjab because I thought it was a BOSH frontend for
jabber servers who hasn't any (or to speak to multiple server which is
not my case).
But it didn't appear to me that it will speed up the BOSH connexion.
To be honest I didn't find much doc on Punjab as the only official
page is on github, and didn't find much on the web except what I
mentioned above.
I also had a look at this : http://dev.esl.eu/blog/2009/05/05/benchmarking-bosh-services/
(it's two years old), so I didn't go any further.
I just installed it and it seems to work fine as a BOSH connector, but
it still needs all the BOSH authentication.
Am I missing something ? Is there a link to punjab doc ?
Regards,
Patrick
Vineet Naik
Mar 31, 2011, 6:33:03 AM3/31/11
to str...@googlegroups.com
Hi,
As Karan mentioned, we could get the attach function of Strophe working by using punjab as the connection manager.
We are using Openfire as the xmpp server though. So I am under the impression that it had something to do with the default connection
manager that openfire uses. I haven't worked with ejabberd much but if you are facing the same problem, punjab might do the trick.
This works well for page reloads. You have also mentioned switching between tabs. For this the rid value will have to be incremented and maintained across all the tabs. Not sure how to do this.
As Karan mentioned, we could get the attach function of Strophe working by using punjab as the connection manager.
We are using Openfire as the xmpp server though. So I am under the impression that it had something to do with the default connection
manager that openfire uses. I haven't worked with ejabberd much but if you are facing the same problem, punjab might do the trick.
I just installed it and it seems to work fine as a BOSH connector, but
it still needs all the BOSH authentication.
Sorry I didn't get this. Can you please elaborate on this ?
It is required to configure the url where punjab should listen to in punjab.tac file
Then proxy all requests from a particular url on your web server to this url configured in punjab. Punjab runs on the port 5280 by default.
so this url will be something like http://127.0.0.1:5280/xmpp-httpbind/ . In the punjab.tac file specify only the "xmpp-httpbind" part
I think even ejabberd works on the port 5280 by default, not very sure though. In that case the default punjab port will have to be changed to something else.
If configured correctly, punjab directs the BOSH requests to the xmpp server by itself. However this is only when the name of the server is
localhost. If its something else, then it needs to be specified by adding a "to" attribute to the body of the request.
Here is how we have implemented it -
When the user logs in, only for the first time a connection is established to the xmpp server. XMPPHP library is used for this.
The sid, rid and jid obtained are used to attach to this session in javascript. And these values are also stored in javascript cookies.
on the window.onunload event, the latest rid value is obtained from the Strophe connection object and stored in the cookie as the new rid after incrementing by 1.
On the next page loads, rid, jid, sid are taken from the cookie.
This works well for page reloads. You have also mentioned switching between tabs. For this the rid value will have to be incremented and maintained across all the tabs. Not sure how to do this.
Siddhartha
Mar 31, 2011, 2:18:04 PM3/31/11
to Strophe
Hi,
>> I just installed it and it seems to work fine as a BOSH connector, but
> > it still needs all the BOSH authentication.
> Sorry I didn't get this. Can you please elaborate on this ?
My point is : what is the benefit (in my particular setup) of using
Punjab vs Ejabberd BOSH as
- the authentication process is as long as using Ejabberd BOSH
- The RID also has to be maintained
As these are my biggest problems, I can't see how Punjab would help me
on this.
(RID was created by BOFH ? :-) )
> It is required to configure the url where punjab should listen to in
> punjab.tac file
> [....]
> If configured correctly, punjab directs the BOSH requests to the xmpp server
> by itself. However this is only when the name of the server is
> localhost. If its something else, then it needs to be specified by adding a
> "to" attribute to the body of the request.
It seems it makes a direct XMPP request (not BOSH) on backend XMPP
server. Again, I would love to RTFM if I had it...
> Here is how we have implemented it -
> [...]
So the cookie option seems to work fine, thanks very much for the
feedback. Does it fails sometimes ? Do you try a standard connection
in that case ?
I did the same (not with cookie) but didn't have to increment rid by
1.
Does the XMPP protocol allow to skip one RID ?
>
> This works well for page reloads. You have also mentioned switching between
> tabs. For this the rid value will have to be incremented and maintained
> across all the tabs. Not sure how to do this.
This is one of my biggest problem too....
I am currently evaluating solution 4 described above : it's not as
complex as I thought but needs a lot of work.
It's actually a shame I can't write in python because I could use the
Punjab source code.
Regards,
Patrick
Patrick
>> I just installed it and it seems to work fine as a BOSH connector, but
> > it still needs all the BOSH authentication.
> Sorry I didn't get this. Can you please elaborate on this ?
Punjab vs Ejabberd BOSH as
- the authentication process is as long as using Ejabberd BOSH
- The RID also has to be maintained
As these are my biggest problems, I can't see how Punjab would help me
on this.
(RID was created by BOFH ? :-) )
> It is required to configure the url where punjab should listen to in
> punjab.tac file
>
> I think even ejabberd works on the port 5280 by default, not very sure
> though. In that case the default punjab port will have to be changed to
> something else.
Yes, Ejabberd listens on port 5280 for BOSH (and admin ) connections .
> I think even ejabberd works on the port 5280 by default, not very sure
> though. In that case the default punjab port will have to be changed to
> something else.
> If configured correctly, punjab directs the BOSH requests to the xmpp server
> by itself. However this is only when the name of the server is
> localhost. If its something else, then it needs to be specified by adding a
> "to" attribute to the body of the request.
server. Again, I would love to RTFM if I had it...
> Here is how we have implemented it -
So the cookie option seems to work fine, thanks very much for the
feedback. Does it fails sometimes ? Do you try a standard connection
in that case ?
I did the same (not with cookie) but didn't have to increment rid by
1.
Does the XMPP protocol allow to skip one RID ?
>
> This works well for page reloads. You have also mentioned switching between
> tabs. For this the rid value will have to be incremented and maintained
> across all the tabs. Not sure how to do this.
I am currently evaluating solution 4 described above : it's not as
complex as I thought but needs a lot of work.
It's actually a shame I can't write in python because I could use the
Punjab source code.
Regards,
Patrick
Patrick
Matthew Wild
Mar 31, 2011, 2:44:36 PM3/31/11
to str...@googlegroups.com
It does not (the server will think a request has been lost, and may
wait for it).
Regards,
Matthew
Vineet Naik
Apr 1, 2011, 1:45:32 AM4/1/11
to str...@googlegroups.com
So the cookie option seems to work fine, thanks very much for the
feedback. Does it fails sometimes ? Do you try a standard connection
in that case ?
Yes it does fail but it happens very rarely. In that case, we try to get a new connection to the server by calling the
server side script (which uses XMPPHP lib) by means of an ajax request.
Once we have the new values of sid, rid and jid from it's response, Strope's attach function is invoked again and the cookies are updated with these
new values.
I did the same (not with cookie) but didn't have to increment rid by
1.
Does the XMPP protocol allow to skip one RID ?
It seems it does accept RID values within a small range as mentioned in this article by Jack - http://metajack.im/2008/10/03/getting-attached-to-strophe/. Haven't tried it though.
Siddhartha
Apr 3, 2011, 6:46:52 PM4/3/11
to Strophe
On 1 avr, 07:45, Vineet Naik <naik...@gmail.com> wrote:
>
> > 1.
> > Does the XMPP protocol allow to skip one RID ?
>
> It seems it does accept RID values within a small range as mentioned in this
> article by Jack -http://metajack.im/2008/10/03/getting-attached-to-strophe/. Haven't
>
> > 1.
> > Does the XMPP protocol allow to skip one RID ?
>
> It seems it does accept RID values within a small range as mentioned in this
> tried it though.
I was using the rid provided by Strophe which didn't need to be raised
by one (checked with tcpdump), but I broke my test bench to test my
other solution (see below).
Anyway, I didn't find any good ways to share RID across multiple tabs
with cookies so I'm currently working on a xmpp "proxy" : it is kind
of a mix between Punjab and pre-bind patch of Ejabberd.
I made a quick evaluation of the work, and it is not as complex as I
thought. Besides, it solves all my problems of authentication as I
rely only on the data provided by the PHP session (even if the thing
itself will be coded in C for performance reasons) :
After the initial login the PHP session contains :
- login + pass on the Ejaberd
- fake rid, sid and jid for Strophe to use
Then for every query made the proxy will use php session ID to convert
sid,jid & rid to real ones - if they don't exist, they will be created
with a real authentication - to pass to Ejabberd.
The proxy also maintains a session for a customized period of time.
But I'm still open to other ideas...
Thanks for the answers everyone !
Patrick
Siddhartha
Apr 11, 2011, 1:58:52 PM4/11/11
to Strophe
Hi everyone,
To be precise about the RID, that is what the protocol says it should
do :
The connection manager SHOULD expect the 'rid' attribute
to be within a window of values greater than the 'rid' of the previous
request. The size of the window is equal to the maximum number of
simultaneous requests allowed by the connection manager. If it
receives a request with a 'rid' greater than the values in the window,
then the connection manager MUST terminate the session with an error
(http://xmpp.org/extensions/xep-0124.html#rids).
Implementation may differ, but I'm quite sure the BOSH interface of
Ejabberd works that way.
Patrick
To be precise about the RID, that is what the protocol says it should
do :
The connection manager SHOULD expect the 'rid' attribute
to be within a window of values greater than the 'rid' of the previous
request. The size of the window is equal to the maximum number of
simultaneous requests allowed by the connection manager. If it
receives a request with a 'rid' greater than the values in the window,
then the connection manager MUST terminate the session with an error
(http://xmpp.org/extensions/xep-0124.html#rids).
Implementation may differ, but I'm quite sure the BOSH interface of
Ejabberd works that way.
Patrick
Reply all
Reply to author
Forward
0 new messages