在 websocket 握手时使用会话数据 [英] Use session data on websocket handshake
问题描述
如果登录用户导航到站点的某个区域,该区域将使用 WebSockets,我如何获取该会话 ID,以便在服务器上识别他?
If a logged in user navigates to a certain area of the site which is to use WebSockets, How can I grab that session Id so I can identify him on the server?
我的服务器基本上是一个无休止的 while 循环,它保存有关所有已连接用户和内容的信息,因此为了获取该 ID,我认为唯一合适的时刻是握手,但不幸的是,握手的请求标头不包含 cookie 数据:
My server is basically an endless while loop which holds information about all connected users and stuff, so in order to grab that id I figured the only suitable moment is at the handshake, but unfortunately the handshake's request headers contain no cookie data:
请求标头
接受:text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
接受编码:gzip、deflate接受语言:en-US,en;q=0.5
缓存控制:无缓存
连接:保持连接,升级
DNT:1
主持人:192.168.1.2:9300
来源:http://localhost
编译指示:无缓存
Sec-WebSocket-Key:5C7zarsxeh1kdcAIdjQezg==
Sec-WebSocket-版本:13
升级:websocket
用户代理:Mozilla/5.0(Windows NT 6.1;WOW64;rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Cache-Control: no-cache
Connection: keep-alive, Upgrade
DNT: 1
Host: 192.168.1.2:9300
Origin: http://localhost
Pragma: no-cache
Sec-WebSocket-Key: 5C7zarsxeh1kdcAIdjQezg==
Sec-WebSocket-Version: 13
Upgrade: websocket
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:27.0) Gecko/20100101 Firefox/27.0
那么我如何才能真正获取该 ID?我以为我可以以某种方式强制 javascript 将 cookie 数据与该请求一起发送,但 2014 年任何有自尊的网站都会有 httpOnly 会话 cookie,这样就行不通了.非常感谢任何帮助!
So how can I really grab that id? I thought I could somehow force javascript to send cookie data along with that request but any self-respecting website in 2014 will have httpOnly session cookies so that wont work out. Any help is greatly appreciated!
这是我正在使用的服务器的链接:https://github.com/Flynsarmy/PHPWebSocket-Chat/blob/master/class.PHPWebSocket.php(感谢接受的答案)
Here's a link for the server I'm using: https://github.com/Flynsarmy/PHPWebSocket-Chat/blob/master/class.PHPWebSocket.php (thanks to accepted answer)
推荐答案
http only cookies 以及安全 cookies 与 websocket 配合良好.
http only cookies as well as secure cookies work fine with websocket.
某些 websocket 模块选择忽略请求中的 cookie,因此您需要阅读模块的规范.
Some websocket modules have chosen to ignore cookies in the request, so you need to read the specs of the module.
尝试:websocket 节点:https://github.com/Worlize/WebSocket-Node.
Try: websocket node: https://github.com/Worlize/WebSocket-Node.
确保使用安全的 websocket 协议作为 wss://xyz.com
Make sure to use the secure websocket protocol as wss://xyz.com
此外,chrome 将不会在检查元素"网络标签中显示 cookie.
Also, chrome will not show the cookies in the "inspect element" Network tab.
在节点中尝试转储请求,例如:
In node try dumping the request, something like:
wsServer.on('request', function(request) {
console.log(request);
console.log(request.cookies); // works in websocket node
}
如果您在日志中的某处看到 cookie ......您就知道了.
If you see the cookies somewhere in the log...you've got it.
如果您使用仅安全的 cookie,则需要使用安全的网络套接字:wss://
If you're using secure-only cookies, you need to be in secure web sockets: wss://
cookie 在初始请求中传递.Chrome 不会(一直)显示它,因为有时它会显示省略 cookie 信息的临时标头.
The cookies are passed in the initial request. Chrome does not show it (all the time) as sometimes it shows provisional headers which omits cookie information.
由 websocket 服务器对 cookie 做某事"并将它们附加到每个请求.
It is up to the websocket server to do 'something' with the cookies and attach them to each request.
查看你服务器的代码:https://github.com/Flynsarmy/PHPWebSocket-Chat/blob/master/class.PHPWebSocket.php 我在任何地方都没有看到cookie"这个词,所以它没有被很好地打包并附加到每个 websocket 连接.我可能是错的,这就是为什么您可能想要联系开发人员并查看整个标头是否附加到每个连接以及如何访问它.
Looking at the code of your server: https://github.com/Flynsarmy/PHPWebSocket-Chat/blob/master/class.PHPWebSocket.php I do not see the word "cookie" anywhere, so it is not being nicely packaged and attached to each websocket connection. I could be wrong, that's why you might want to contact the developer and see if the whole header is being attached to each connection and how to access it.
我可以肯定地说:如果您使用安全 cookie,则 cookie 将不会被传输,除非您使用安全 websocket wss://mysite.com.普通的 ws://mysite.com 将不起作用.
This I can say for certain: If you're using secure cookies then cookies will not be transmitted unless you use the secure websocket wss://mysite.com. Plain ws://mysite.com will not work.
此外,只有在域与网页相同的情况下,cookie 才会在请求中传输.
Also, cookies will only be transmitted in the request if the domain is the same as the webpage.
这篇关于在 websocket 握手时使用会话数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
