Is there a way to easily pass an authentication cookie when handshaking a WebSocket connection to socket.io? I currently have to do it separately, like so:
socket = new io.Socket(document.location.hostname);
socket.addEvent("connect", function()
{
// Send PHP session ID, which will be used to authenticate
var sessid = readCookie("PHPSESSID");
this.send("{'action':'authenticate','sessionid':'"+sessid+"'}");
});
WebSockets do have support for cookies since they are based on HTTP, but a quick browse through the source of Socket.IO revealed that there is no support for this built in.
So using cookies directly is not a feasible solution in this case, also, since you're using Socket.IO, it's not guaranteed that users will actually connect via a WebSocket.
In the case that a connection uses a flash socket, it's really hard to make Flash send the Browser's cookies instead of it's own set, so even if you would send a cookie directly, it wouldn't get set in the Browser in case of a flask socket connection.
Currently there's no support for this built into Socket.IO, so flash sockets will just fail.
You can read about that in this issue, and here's a question about the flash cookie problem.
Best solution is still to make it part of your own protocol.
Related
I will be happy to get advice from more experienced developers about adding Web Sockets into my HTTP-based project.
That’s the thing. I have developed the REST API based service. Everything works well enough, but… In some special cases my server needs a long time to serve client requests. It may be from 1 minute to several hours (and even days)! I implement some not-so-good algorithm to address this issue:
Client sends HTTP request
Server replies about registering request
Client starts sending HTTP requests to get necessary data (if response does not have needed information the client sends another request and so on)
That is all in a nutshell.
And it seems to be a bad scenario and I am trying to integrate web sockets for adding duplex-channels in this architecture. I hope that my API will be able to send info about updated data as soon as possible without the necessity of many requests from the client.
But I am a bit confused in choosing one of two ways to use web socket (WS).
Variant A.
The server only tells the client via WS that data is ready. And the client gets data by standard request-response HTTP method from REST API.
Variant B.
The server sends all data to the client via WS without HTTP at all.
What variant is more suitable? Or maybe some other variants?
I do not want to remove HTTP at all. I just try to implement WS for a particular kind of end-points.
Variant A would be more suitable and easy to implement. You can send message to the client after the data is ready, and he can then send request for the data. It will be like a simple chat websocket, and will serve your purpose.
Is it possible with Qt to upgrade a HTTP connection that handles the normal HTTP requests to a Websocket with the same connection?
I'm thinking about something like this with Poco libraries, but all done in Qt similar to QtWebApp.
The simple answer is no and that is mostly because of specifics of the server side. And Qt just follows the protocol available and exposed by the server (HTTP/WebSocket) as mostly the client-side development framework and AFAIK won't be able to do the kind of transformation you want of going from HTTP to Websocket that are two different protocols. But of course, theoretically that can be done as long as both protocols able to use IP port 80. But that implies new unique sever and new unique client implementations.
We use both WebSocket and REST in our app. And WebSocket is for triggering the client by the server to do something. Client gets the "poke" from the server and starts normal JSON HTTP-based exchange with the server.
Somewhat relative link: https://softwareengineering.stackexchange.com/questions/276253/mixing-rest-and-websocket-in-the-same-api
I have a client server based c++ application which communicates over network (with boost asio) and I am planning to distribute this client application to my customers. My problem is I don't know how to prevent connection request from other applications, that is how can I make sure that only my client application is able to connect to my server. I think there is no way to do this without making the connection, than what is the best way to verify that request is coming from my client?
You can use asio's builtin SSL ability. So, you generating sertificates for each server, and client sertificates. So you can check client sertificate on server at the moment of SSL handshake. As a bonus, your traffic will be encrypted and SSL-secure. Clients can check server is not a fake; server can check clients are authorized.
Yes you have to accept the connection in order to know if it's from your application or not.
You can use a three-way handshake at the connection step:
Client connects to the server The server is sending an specific
value (integer, strings or whatever) to the new client.
The client handles this value, compute a new one with it and sends
the new value to the server.
The server checks if the returned value is correct or not.
The client will have the same compute method as the server. The others applications will not be able to use your service if they returned a bad value.
I have a mini computer that does not support websockets that I would like to receive push notifications from a server.
The issue is that after the client connects to the server, the server responds and then closes the connection. This makes it so the client has to continually reconnect to the server to get new information.
Is there a way using Django to allow the connection to be left open and then have the server publish data to the client?
Django is primarily a request/response framework and as such does not have support for real duplex communication.
Socket.IO is the de facto library that makes websocket-like functionality cross-browser (IE5.5+), using real websockets as a transport if the browser allows it, falling back to HTTP long-polling or whatever else if it doesn't. For various options on integrating Socket.IO with Django, read this.
I am writing an HTTPS based application using Apache2 as the web server, and python as the language (not sure which framework or Apache2 mod yet). After clients (which are not web browsers) first establish an HTTPS connection to the server, they are expected to send an authentication message. If authentication is successful, they are able to send more commands, until the connection is closed (HTTP 1.1 will be used, with a long keep alive time). My question is, is it possible to have state associated with the connection? I don't want the client to have to send cookies or session ids -- the HTTPS application should be able to figure out the session based on the connection that each request belongs to...the question is how?
HTTP/S is a State less protocol, so you if you don't want to have cookies maintaing the state then you must pass on the state to server each time using hidden variables or query params or some other means and take care of it in server side.
One possible solution is using SSL_SESSION_ID, which is accessible to applications using mod_python, to uniquely identify each client. The problem with this is the ID can apparently change -- but it isn't clear to me whether it can change in the middle of a connection (which would be problematic), or only between connections (which is good -- I actually would need to enforce this behavior).
Anyway, this is the sort of thing I'm looking for, if it wasn't clear from the original question.