I'm trying to use Socket.IO's authorization function to get session data. The problem is that even if I log out and destroy my session, Socket.IO still has the old session information, which is clearly not ideal. Any ideas what I'm doing wrong in the code below?
io.set('authorization', function (data, accept) {
if(data.headers.cookie) {
data.cookie = parseCookie(data.headers.cookie);
data.sessionID = data.cookie['express.sid'];
app.set('mongo-store').get(data.sessionID, function (err, session) {
console.log(err, session);
if (err || !session) {
// if we cannot grab a session, turn down the connection
accept('Error', false);
} else {
// save the session data and accept the connection
data.session = session;
accept(null, true);
}
});
} else {
return accept('No cookie transmitted.', false);
}
accept(null, true);
});
And here is the connection code:
io.sockets.on('connection', function(socket) {
var hs = socket.handshake;
console.log('A socket with sessionID ' + hs.sessionID
+ ' connected!');
// setup an inteval that will keep our session fresh
var intervalID = setInterval(function () {
// reload the session (just in case something changed,
// we don't want to override anything, but the age)
// reloading will also ensure we keep an up2date copy
// of the session with our connection.
hs.session.reload( function () {
// "touch" it (resetting maxAge and lastAccess)
// and save it back again.
hs.session.touch().save();
});
}, 60 * 1000);
socket.on('disconnect', function () {
console.log('A socket with sessionID ' + hs.sessionID
+ ' disconnected!');
// clear the socket interval to stop refreshing the session
clearInterval(intervalID);
});
});
I'm trying to use Socket.IO's authorization function to get session data. The problem is that even if I log out and destroy my session, Socket.IO still has the old session information, which is clearly not ideal. Any ideas what I'm doing wrong in the code below?
io.set('authorization', function (data, accept) {
if(data.headers.cookie) {
data.cookie = parseCookie(data.headers.cookie);
data.sessionID = data.cookie['express.sid'];
app.set('mongo-store').get(data.sessionID, function (err, session) {
console.log(err, session);
if (err || !session) {
// if we cannot grab a session, turn down the connection
accept('Error', false);
} else {
// save the session data and accept the connection
data.session = session;
accept(null, true);
}
});
} else {
return accept('No cookie transmitted.', false);
}
accept(null, true);
});
And here is the connection code:
io.sockets.on('connection', function(socket) {
var hs = socket.handshake;
console.log('A socket with sessionID ' + hs.sessionID
+ ' connected!');
// setup an inteval that will keep our session fresh
var intervalID = setInterval(function () {
// reload the session (just in case something changed,
// we don't want to override anything, but the age)
// reloading will also ensure we keep an up2date copy
// of the session with our connection.
hs.session.reload( function () {
// "touch" it (resetting maxAge and lastAccess)
// and save it back again.
hs.session.touch().save();
});
}, 60 * 1000);
socket.on('disconnect', function () {
console.log('A socket with sessionID ' + hs.sessionID
+ ' disconnected!');
// clear the socket interval to stop refreshing the session
clearInterval(intervalID);
});
});
- +1 I'm having the same issue. Even if the client's session cookie expires or is deleted, the Socket.IO connection still has access to the old data and believes the session is still active. – dbau Commented Apr 11, 2012 at 9:05
2 Answers
Reset to default 4From http://www.danielbaulig.de/socket-ioexpress/
sio.sockets.on('connection', function (socket) {
var hs = socket.handshake;
console.log('A socket with sessionID ' + hs.sessionID
+ ' connected!');
// setup an inteval that will keep our session fresh
var intervalID = setInterval(function () {
// reload the session (just in case something changed,
// we don't want to override anything, but the age)
// reloading will also ensure we keep an up2date copy
// of the session with our connection.
hs.session.reload( function () {
// "touch" it (resetting maxAge and lastAccess)
// and save it back again.
hs.session.touch().save();
});
}, 60 * 1000);
socket.on('disconnect', function () {
console.log('A socket with sessionID ' + hs.sessionID
+ ' disconnected!');
// clear the socket interval to stop refreshing the session
clearInterval(intervalID);
});
});
Edit: auth code
io.set('authorization', function (handshakeData, callback) {
var cookie;
// console.log(handshakeData.headers);
if (handshakeData.headers && handshakeData.headers.cookie) {
cookie = parseCookie(handshakeData.headers.cookie);
// where SessionStore is an instance of your mongo store
SessionStore.load(cookie['sioapp.sid'], function (err, session) {
if (err) {
// if we cannot grab a session, turn down the connection
console.log(err);
} else {
// console.log('Successfully decoded the session: ', session);
handshakeData.session = session;
}
});
}
callback(null, true); // error first callback style
});
Once every 60 seconds, the session is touched (thus refreshed). When the user disconnects, the session is destroyed.
I'm not sure the 60 * 1000 means 60 mn. I would say it is 1 mn.