Let me explain my setup. I have multiple domain names that are all CNAME records for a main domain name, such as example.
example -> serverIP
pany1.example -> example
pany2.example -> example
I'm basically developing white labeled versions of our software, where the software simply detects the referrer and knows which logos and stylesheet assets to load.
So that is all well and good, however when socket.io tries to handshake to it's url that looks something like .io/1/?key=123456, the request hangs in a pending state upon signing into the app. On the main domain, example, everything goes through just fine. The dfference is that the main domain sends in a cookie to the socket.io handshake URL whereas the pany subdomains do not.
Does anyone have any ideas on how to fix this? It doesn't appear to even be reaching the server and after a few minutes the pending request returns that it could not be pleted.
Let me explain my setup. I have multiple domain names that are all CNAME records for a main domain name, such as example..
example. -> serverIP
pany1.example. -> example.
pany2.example. -> example.
I'm basically developing white labeled versions of our software, where the software simply detects the referrer and knows which logos and stylesheet assets to load.
So that is all well and good, however when socket.io tries to handshake to it's url that looks something like http://pany1.example./socket.io/1/?key=123456, the request hangs in a pending state upon signing into the app. On the main domain, example., everything goes through just fine. The dfference is that the main domain sends in a cookie to the socket.io handshake URL whereas the pany subdomains do not.
Does anyone have any ideas on how to fix this? It doesn't appear to even be reaching the server and after a few minutes the pending request returns that it could not be pleted.
Share Improve this question asked May 25, 2014 at 3:03 jrthibjrthib 1,3191 gold badge12 silver badges18 bronze badges 6- 1 What's your code to handle authorizations? I suggest to stop authorizing based on cookies and change it to using tokens. – Farid Nouri Neshat Commented May 25, 2014 at 3:10
-
I'll try removing the cookie method, however it appears as though its not even reaching the authorization stage. It's literally just hanging and not moving forward. I added
console.logstatements in my handshake and authorization code, and they don't even occur. – jrthib Commented May 25, 2014 at 3:13 - More information: I just got a "No 'Access-Control-Allow-Origin' for the example./socket.io/1/ URL. Any ideas how to allow certain origins to that URL? – jrthib Commented May 25, 2014 at 3:27
- @jrthib If you're using Express, you might look at the cors middleware module. – mscdex Commented May 25, 2014 at 3:53
-
Are you setting the
originconfig property of socket.io properly? Try to set it to*:*and see if it works or not. – Farid Nouri Neshat Commented May 25, 2014 at 3:58
2 Answers
Reset to default 7I had a similar problem and found that the issue was from the JS Client I was using. I solved this by adding withCredentials: true to my connection config.
Here is how it looks
import io from "socket.io-client";
const connectionObject = {
...,
withCredentials: true,
};
socket = io("http://127.0.0.1:5000" || "", connectionObject);
This added Cookies to calls to my Socket Server.
You got two choices:
Don't use cookies for authentication. Use a token a based method. As soon as the client gets connected to the app, just send the authentication token. You can save the token with localstorage, and for the first time, the token can be embedded in javascript or html by your server.
If you wonder why you shouldn't use tokens, read this from sockjs-node documentation, which implements something similar to socket.io
Cookies are a contract between a browser and an http server, and are identified by a domain name. If a browser has a cookie set for particular domain, it will pass it as a part of all http requests to the host. But to get various transports working, SockJS uses a middleman
an iframe hosted from target SockJS domain. That means the server will receive requests from the iframe, and not from the real domain. The domain of an iframe is the same as the SockJS domain. The problem is that any website can embed the iframe and municate with it - and request establishing SockJS connection. Using cookies for authorisation in this scenario will result in granting full access to SockJS munication with your website from any website. This is a classic CSRF attack. Basically - cookies are not suited for SockJS model. If you want to authorise a session - provide a unique token on a page, send it as a first thing over SockJS connection and validate it on the server side. In essence, this is how cookies work.
Also check this article as an example implementation.
If you are still not convinced, then check choice number 2:
Keep using cookies. This might not work though. Upgrade to the latest socket.io(either 0.9.x or 1.x). Using 0.9.x set the origin config property. Or on 1.x set
originsserver option. You can set them to*:*or*example.:*.Also check this question: CORS with socket.io