Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1

    Sending authenticated sessionID cookie from browser to notifyUser

    Hi,

    I am currently implementing authentication for my lightstreamer instance.

    notifyUser is being called with a request, for example:

    { id: 'd100000145fea61d8d',
    verb: 'notifyUser',
    userName: 'some',
    userPassword: 'thing',
    headers:
    { 'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
    'cache-control': 'no-cache',
    connection: 'keep-alive',
    host: 'localhost',
    'accept-language': 'en-US,en;q=0.5',
    accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'content-length': '218',
    origin: 'https://localhost:4433',
    'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0',
    'accept-encoding': 'gzip, deflate',
    referer: 'https://localhost:4433/view1',
    pragma: 'no-cache',
    REQUEST_ID: '277' } }

    I understand that this is triggered by the client.connect() which is executed on the client from within the webpage that has been served my server.

    In order to proceed with the authentication inside notifyUser I need access to the sessionID that has been set by the server in the form of a cookie. This cookie is currently specified as httpOnly so that the browser does not allow programmatic access to it. What I would like is recommendations for the best/most secure approach to handle the authentication in this manner. Specifically I need access to this sessionId inside the notifyUser method so that I can authenticate effectively and return from the function.

    Maybe there is also some consideration relating to the withCredentials parameter that is typically set when making https requests. However as the https request to start the session is made from within the lightstreamer library itself I do not know any way to set this field.

    Advice would be much appreciated.

    Thank you.

  2. #2
    Senior Member
    Join Date
    Feb 2013
    Posts
    54
    Hi,

    You may enable the forwarding of the cookies to the Metadata Adapter, setting to 'Y' the <forward_cookies> configuration element in the SECURITY CONFIGURATION section of the lightstreamer_conf.xml file.
    If set to 'Y', the cookies are forwarded to the Metadata Adapter through the httpHeaders argument of the "notifyUser" method.
    But keep in mind that, as stated in the notes, you should also set to 'Y' the <use_protected_js> configuration element, because otherwise you may expose the server to CSRF attacks, and you should also configure the <cross_domain_policy> element with a less permissive rule.

    hth
    Marco

  3. #3
    Hi,

    thanks for the reply.

    I set <use_protected_js>Y</use_protected_js> and <forward_cookies>Y</forward_cookies>

    but still in the request i only see the following:

    { id: '40000014605500b77',
    verb: 'notifyUser',
    userName: null,
    userPassword: null,
    headers:
    { 'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
    'cache-control': 'no-cache',
    connection: 'keep-alive',
    host: 'localhost',
    'accept-language': 'en-US,en;q=0.5',
    accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'content-length': '151',
    origin: 'https://localhost:4433',
    'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0',
    'accept-encoding': 'gzip, deflate',
    referer: 'https://localhost:4433/view1',
    pragma: 'no-cache',
    REQUEST_ID: '16' } }

    Here is my notify user method:

    metadataProvider.on('notifyUser', function(request, response){

    console.log(request);

    });

    and here is the adapters config:

    <metadata_provider>
    <adapter_class>com.lightstreamer.adapters.remote.m etadata.RobustNetworkedMetadataProvider</adapter_class>
    <classloader>log-enabled</classloader>
    <param name="request_reply_port">6662</param>
    <param name="timeout">36000000</param>
    </metadata_provider>


    Is there something else that I need to do?

    Thanks for the help.

  4. #4
    Power Member
    Join Date
    Jul 2006
    Location
    Cesano Maderno, Italy
    Posts
    784
    Hi,

    It might depend on the browser in use; be sure to call lightstreamerClientInstance.connectionOptions.setC ookieHandlingRequired(true) on the client
    See
    http://www.lightstreamer.com/docs/cl...ndlingRequired
    and
    https://docs.google.com/a/lightstrea...rive_web#gid=1


    If still in trouble verify that the cookie is sent by the browser (check the creatre_session.js request) and get back to us.

  5. #5
    that did the trick, thanks for the help!

  6. #6
    Actually, that fixed one problem and exposed another one. I now have the required cookies, and I parse them and use the result to perform a lookup in a database which is an async call. Is it OK to call async code inside the notifyUser method? It seems that this is causing an issue currently as then I change the method body to simply:

    response.success(100000000,false);

    ... everything works just fine.

    However then I call response.success(100000000,false); from the database callback function the LSClient will no longer connect.

    What is the recommended approach here?

  7. #7
    Have looked into this further - when client.connectionOptions.setCookieHandlingRequired (true); is set by the client the request headers that are sent to the notifyUser method are different. For example:

    When client.connectionOptions.setCookieHandlingRequired is set to true:

    headers:
    { cookie: 'connect.sid=s%3A8RiLRECNKkGGSJOQnKGdGizY.iqYm2IPN gzJph7Qk%2BrG1pEqktnlm0KVLtpXEVZ5L2Yw; XSRF-TOKEN=jhIQq6AYLGxE2DrjxiK8L1zg67RfV0eaCt0N0%3D',
    connection: 'keep-alive',
    host: 'localhost',
    'accept-language': 'en-US,en;q=0.5',
    accept: '*/*',
    'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0',
    'accept-encoding': 'gzip, deflate',
    referer: 'https://localhost:4433/view1',
    REQUEST_ID: '7' } }

    .... and when client.connectionOptions.setCookieHandlingRequired is set to false:

    headers:
    { 'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
    'cache-control': 'no-cache',
    connection: 'keep-alive',
    host: 'localhost',
    'accept-language': 'en-US,en;q=0.5',
    accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'content-length': '147',
    origin: 'https://localhost:4433',
    'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0',
    'accept-encoding': 'gzip, deflate',
    referer: 'https://localhost:4433/view1',
    pragma: 'no-cache',
    REQUEST_ID: '4' } }

    As we can see above the headers are different by more than just the cookie. For example when setCookieHandlingRequired is true the origin field is not specified.

    When setCookieHandlingRequired is true my LS client can't connect; I have a feeling that the problem is related to the differences mentioned above.

    Please can you advise?

    Thanks.

  8. #8
    Power Member
    Join Date
    Jul 2006
    Location
    Cesano Maderno, Italy
    Posts
    784
    To call success asynchronously is legal but it must execute "fast" or else the client will discard the connection as not working and will create a new session: can you confirm that this is what happens?

    How long does it take for the asynchronous response from the database to come back? You might increase the connect timeout to wait a bit longer for the DB response but this has a negative impact on the automatic fallback mechanisms for cases where there are real network issues so you should first try to make the DB faster. See http://www.lightstreamer.com/distros...ConnectTimeout

  9. #9
    Thanks for the info - that is useful to know. however when I set setCookieHandlingRequired to true the client still won't connect even if I remove the DB call completely (i.e. change the body of notifyUser simply to response.success(100000000,false); )

    Maybe there is a separate issue?

  10. #10
    I have just double checked: it is simply the following line that when its un-commented seems to prevent the LS client from connecting.

    client.connectionOptions.setCookieHandlingRequired (true);

    If I comment this out and refresh the site in the browser without changing anything else, everything works fine (albeit with the body of the notifyUser method simply being response.success(1000000,false); at the moment).

 

 

Similar Threads

  1. NotifyUser Header
    By milad.j in forum Adapter APIs
    Replies: 1
    Last Post: November 4th, 2013, 10:23 AM
  2. How to get SessionId in .NET client code?
    By cwt237 in forum Client APIs
    Replies: 6
    Last Post: September 19th, 2013, 02:05 PM
  3. Send data from DataAdapter based on user/sessionID
    By gal_nitzan in forum Adapter APIs
    Replies: 1
    Last Post: February 12th, 2013, 10:16 PM
  4. Cookie support in android library
    By eoinoc in forum Client APIs
    Replies: 1
    Last Post: October 15th, 2012, 10:21 AM
  5. Delay in notifyUser() causes erratic create_session behavior
    By brianjohnson in forum Adapter APIs
    Replies: 2
    Last Post: April 5th, 2010, 01:02 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT +1. The time now is 11:19 PM.