Socket.io 未在握手中发送 cookie 导致请求停止 [英] Socket.io not sending cookies in the handshake causing the request to stall
问题描述
让我解释一下我的设置.我有多个域名,都是一个主域名的 CNAME 记录,例如 example.com.
Let me explain my setup. I have multiple domain names that are all CNAME records for a main domain name, such as example.com.
example.com -> serverIP
example.com -> serverIP
company1.example.com -> example.com
company1.example.com -> example.com
company2.example.com -> example.com
company2.example.com -> example.com
我基本上是在开发我们软件的白标版本,其中软件只是检测引用者并知道要加载哪些徽标和样式表资产.
I'm basically developing white labeled versions of our software, where the software simply detects the referrer and knows which logos and stylesheet assets to load.
所以这一切都很好,但是当 socket.io 尝试与它的 url 握手时,它看起来像 http://company1.example.com/socket.io/1/?key=123456,请求在登录应用程序后挂起处于挂起状态.在主域 example.com 上,一切正常.不同之处在于主域将 cookie 发送到 socket.io 握手 URL,而公司子域不会.
So that is all well and good, however when socket.io tries to handshake to it's url that looks something like http://company1.example.com/socket.io/1/?key=123456, the request hangs in a pending state upon signing into the app. On the main domain, example.com, everything goes through just fine. The dfference is that the main domain sends in a cookie to the socket.io handshake URL whereas the company subdomains do not.
有人对如何解决这个问题有任何想法吗?它似乎甚至没有到达服务器,几分钟后挂起的请求返回它无法完成.
Does anyone have any ideas on how to fix this? It doesn't appear to even be reaching the server and after a few minutes the pending request returns that it could not be completed.
推荐答案
您有两个选择:
不要使用 cookie 进行身份验证.使用基于令牌的方法.一旦客户端连接到应用程序,只需发送身份验证令牌.您可以使用localstorage 保存token,并且首次可以通过您的服务器将token 嵌入到javascript 或html 中.
Don't use cookies for authentication. Use a token a based method. As soon as the client gets connected to the app, just send the authentication token. You can save the token with localstorage, and for the first time, the token can be embedded in javascript or html by your server.
如果您想知道为什么不应该使用令牌,请阅读 sockjs-node文档,它实现了类似于 socket.io 的东西
If you wonder why you shouldn't use tokens, read this from sockjs-node documentation, which implements something similar to socket.io
Cookies 是浏览器和 http 服务器之间的契约,是由域名标识.如果浏览器设置了 cookie特定域,它将作为所有 http 请求的一部分传递给主人.但是为了让各种传输工作,SockJS 使用中间人
Cookies are a contract between a browser and an http server, and are identified by a domain name. If a browser has a cookie set for particular domain, it will pass it as a part of all http requests to the host. But to get various transports working, SockJS uses a middleman
从目标 SockJS 域托管的 iframe.这意味着服务器将接收来自 iframe 的请求,而不是来自真实域的请求.这iframe 的域与 SockJS 域相同.问题是任何网站都可以嵌入 iframe 并与之通信 - 以及请求建立 SockJS 连接.将 cookie 用于在这种情况下授权将导致授予完全访问权限从任何网站与您的网站进行 SockJS 通信.这是一个经典的CSRF攻击.基本上 - cookie 不适合 SockJS模型.如果你想授权一个会话 - 提供一个唯一的令牌一个页面,作为第一件事通过 SockJS 连接发送并验证它在服务器端.本质上,这就是 cookie 的工作原理.
an iframe hosted from target SockJS domain. That means the server will receive requests from the iframe, and not from the real domain. The domain of an iframe is the same as the SockJS domain. The problem is that any website can embed the iframe and communicate with it - and request establishing SockJS connection. Using cookies for authorisation in this scenario will result in granting full access to SockJS communication with your website from any website. This is a classic CSRF attack. Basically - cookies are not suited for SockJS model. If you want to authorise a session - provide a unique token on a page, send it as a first thing over SockJS connection and validate it on the server side. In essence, this is how cookies work.
另以这篇文章为例 实施.
如果您仍然不相信,请检查选项 2:
If you are still not convinced, then check choice number 2:
继续使用 cookie.不过这可能行不通.升级到最新的 socket.io(0.9.x 或 1.x).使用 0.9.x 设置 origin 配置属性.或者在 1.x 设置 origins 服务器选项.您可以将它们设置为 *:* 或 *example.com:*.
Keep using cookies. This might not work though. Upgrade to the latest socket.io(either 0.9.x or 1.x). Using 0.9.x set the origin config property. Or on 1.x set origins server option. You can set them to *:* or *example.com:*.
同时检查这个问题:CORS with socket.io
这篇关于Socket.io 未在握手中发送 cookie 导致请求停止的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
